CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary…

high8.6CVSS 3.1

AVNACLPRNUINSUCLILAH

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Affected

30 ranges· showing 25

Vendor	Product	Version range	Fixed in
c-ares	c-ares	>= 0 < 1.17.1-1+deb11u2	1.17.1-1+deb11u2
c-ares	c-ares	>= 0 < 1.18.1-2	1.18.1-2
c-ares	c-ares	>= 0 < 1.18.1-2	1.18.1-2
c-ares	c-ares	>= 0 < 1.18.1-2	1.18.1-2
c-ares_project	c-ares	< 1.19.0	1.19.0
c-ares_project	c-ares	—	—
debian	c-ares	< c-ares 1.18.1-2 (bookworm)	c-ares 1.18.1-2 (bookworm)
fedoraproject	fedora	—	—
msrc	azl3_grpc_1.42.0-7_on_azure_linux_3.0	—	—
msrc	azl3_grpc_1.62.0-2_on_azure_linux_3.0	—	—
msrc	azl3_rubygem-mini_portile2_2.8.4-1_on_azure_linux_3.0	—	—
msrc	azl3_tensorflow_2.16.1-9_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_c-ares_1.19.0-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_grpc_1.42.0-11_on_cbl_mariner_2.0	—	—
msrc	cbl2_nodejs_16.20.1-2_on_cbl_mariner_2.0	—	—
msrc	cbl2_python-gevent_21.1.2-3_on_cbl_mariner_2.0	—	—
msrc	cbl2_rubygem-mini_portile2_2.8.0-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
msrc	cm1_c-ares_1.19.0-1_on_cbl_mariner_1.0	—	—
msrc	cm1_grpc_1.35.0-9_on_cbl_mariner_1.0	—	—

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

osv8.6HIGH