Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-22217

Опубликовано: 22 авг. 2023
Источник: redhat
CVSS3: 5.9
EPSS Низкий

Описание

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.

A heap buffer over-read flaw was found in c-ares via the ares_parse_soa_reply function in ares_parse_soa_reply.c.

Отчет

The attack vector for this flaw initiates from a malicious server (a SOA reply to a client query) which requires a attacker set up a server a make it to be queried by a victim through cache poisoning or MITM, raising the Attack Complexity to High. This being a out of bounds reads does not bring a risk of memory corruption, which makes it of none impact to Integrity. Also the read limitis 2 bytes (16bit, unsigned short int) from the DNS_QUERY_TYPE MACRO[1] return and the read value would be ignored and not propagated anywhere since the subsequent check would also fail making the confidentiality impact as none. [1] https://github.com/c-ares/c-ares/blob/4d4fb34075c90d8f2f9ff81890152ab60f65e48e/include/ares_dns.h#L95 [2] https://github.com/c-ares/c-ares/issues/333

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/ee-supported-rhel8Not affected
Red Hat Enterprise Linux 6c-aresOut of support scope
Red Hat Enterprise Linux 7c-aresOut of support scope
Red Hat Enterprise Linux 8nodejs:16/nodejsNot affected
Red Hat Enterprise Linux 8nodejs:18/nodejsNot affected
Red Hat Enterprise Linux 8nodejs:20/nodejsNot affected
Red Hat Enterprise Linux 9c-aresNot affected
Red Hat Enterprise Linux 9nodejsNot affected
Red Hat Enterprise Linux 9nodejs:18/nodejsNot affected
Red Hat Enterprise Linux 9nodejs:20/nodejsNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-126
https://bugzilla.redhat.com/show_bug.cgi?id=2235527c-ares: Heap buffer over read in ares_parse_soa_reply

EPSS

Процентиль: 31%
0.00115
Низкий

5.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-22217

CVSS3: 5.9
ubuntu
почти 2 года назад

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.

nvd логотип

CVE-2020-22217

CVSS3: 5.9
nvd
почти 2 года назад

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.

msrc логотип

CVE-2020-22217

CVSS3: 5.9
msrc
5 месяцев назад

Описание отсутствует

debian логотип

CVE-2020-22217

CVSS3: 5.9
debian
почти 2 года назад

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...

suse-cvrf логотип

SUSE-SU-2023:3690-1

suse-cvrf
почти 2 года назад

Security update for libcares2

EPSS

Процентиль: 31%
0.00115
Низкий

5.9 Medium

CVSS3