CVE-2022-4904 — Improper Input Validation in Project C-ares

CWE-20 — Improper Input Validation CWE-1284 — Improper Validation of Specified Quantity in Input CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents8 sources

Severity

8.6HIGHNVD

EPSS

0.2%

top 62.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

C-ares C-ares Project C-ares Fedoraproject Fedora +1 more

Timeline

PublishedMar 6

Latest updateMar 14

Description

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 3.9 | Impact: 4.7

Affected Packages4 packages

▶NVDc-ares_project/c-ares< 1.19.0

▶Debianc-ares/c-ares< 1.17.1-1+deb11u2+3

▶CVEListV5c-ares/c-aresunknown

▶CVEListV5c-ares_project/c-aresunknown

Also affects: Fedora 36, Enterprise Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-v7h6-g695-5j7q: A flaw was found in the c-ares package↗2023-03-07

▶

OSV

CVE-2022-4904: A flaw was found in the c-ares package↗2023-03-06

▶

CVEList

CVE-2022-4904: A flaw was found in the c-ares package↗2023-03-06

▶

📋Vendor Advisories

Microsoft

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string which allows a possible arbitrary length stack overflow. This issue may cause a d↗2023-03-14

▶

Ubuntu

c-ares vulnerability↗2023-03-02

▶

Red Hat

c-ares: buffer overflow in config_sortlist() due to missing string length check↗2022-12-13

▶

Debian

CVE-2022-4904: c-ares - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks ...↗2022

▶