Описание
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
Отчет
The severity of this vulnerability is not important but moderate because exploiting the vulnerability can lead to a disruption of the availability of an application, yet doesn’t compromise data integrity or confidentiality. The opportunity for disruption is further limited due to the requirement that an application allows an attacker to be able to input both untrusted and unvalidated data. Exploiting this flaw requires an application to use the library in such a way that would allow untrusted and unvalidated input to be passed directly to ares_set_sortlist by an attacker. In the event that this is able to occur, the impact to RHEL is limited to a crash of the application due to the protections offered by default in RHEL systems such as Stack Smashing Protection (SSP).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | c-ares | Out of support scope | ||
| Red Hat Enterprise Linux 7 | c-ares | Will not fix | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:1582 | 04.04.2023 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:1743 | 12.04.2023 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2023:4035 | 12.07.2023 |
| Red Hat Enterprise Linux 8 | c-ares | Fixed | RHSA-2023:7116 | 14.11.2023 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | nodejs | Fixed | RHSA-2023:1533 | 30.03.2023 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | nodejs | Fixed | RHSA-2023:1742 | 12.04.2023 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | c-ares | Fixed | RHSA-2023:7543 | 28.11.2023 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2023:2654 | 09.05.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
A flaw was found in the c-ares package. The ares_set_sortlist is missi ...
EPSS
8.6 High
CVSS3