CVE-2020-22217 — Out-of-bounds Read in C-ares

CWE-125 — Out-of-bounds Read CWE-126 — Buffer Over-read CWE-787 — Out-of-bounds Write9 documents9 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 69.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

C-ares Debian Linux Paloalto Pan-os

Timeline

PublishedAug 22

Latest updateApr 10

Description

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Debianc-ares/c-ares< 1.17.1-1+3

▶NVDc-ares/c-ares1.16.1, 1.17.0+1

▶Palo Altopaloalto/pan-os

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-22217: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply↗2023-08-22

▶

CVEList

CVE-2020-22217: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply↗2023-08-22

▶

GHSA

GHSA-88q4-8vpj-fqpg: Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply↗2023-08-22

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS↗2024-04-10

▶

Ubuntu

c-ares vulnerability↗2023-09-18

▶

Red Hat

c-ares: Heap buffer over read in ares_parse_soa_reply↗2023-08-22

▶

Microsoft

Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.↗2023-08-08

▶

Debian

CVE-2020-22217: c-ares - Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function a...↗2020

▶