{"api_version":"1","generated_at":"2026-04-22T23:31:31+00:00","cve":"CVE-2023-31130","urls":{"html":"https://cve.report/CVE-2023-31130","api":"https://cve.report/api/cve/CVE-2023-31130.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-31130","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-31130"},"summary":{"title":"CVE-2023-31130","description":"c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-05-25 22:15:00","updated_at":"2023-10-31 16:06:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: c-ares-1.19.1-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","name":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","refsource":"MISC","tags":[],"title":"Release 1.19.1 · c-ares/c-ares · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html","name":"https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3471-1] c-ares security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202310-09","name":"https://security.gentoo.org/glsa/202310-09","refsource":"MISC","tags":[],"title":"c-ares: Multiple Vulnerabilities (GLSA 202310-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5419","name":"https://www.debian.org/security/2023/dsa-5419","refsource":"MISC","tags":[],"title":"Debian -- Security Information -- DSA-5419-1 c-ares","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v","name":"https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v","refsource":"MISC","tags":[],"title":"Buffer Underwrite in ares_inet_net_pton() · Advisory · c-ares/c-ares · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: c-ares-1.19.1-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-31130","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31130","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"31130","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"c-ares_project","cpe5":"c-ares","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31130","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31130","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31130","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"31130","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-31130","qid":"160732","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2023-3586)"},{"cve":"CVE-2023-31130","qid":"160740","title":"Oracle Enterprise Linux Security Update for 18 (ELSA-2023-3577)"},{"cve":"CVE-2023-31130","qid":"160788","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2023-4034)"},{"cve":"CVE-2023-31130","qid":"160794","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2023-4035)"},{"cve":"CVE-2023-31130","qid":"161099","title":"Oracle Enterprise Linux Security Update for c-ares (ELSA-2023-6635)"},{"cve":"CVE-2023-31130","qid":"161189","title":"Oracle Enterprise Linux Security Update for c-ares (ELSA-2023-7207)"},{"cve":"CVE-2023-31130","qid":"181829","title":"Debian Security Update for c-ares (DSA 5419-1)"},{"cve":"CVE-2023-31130","qid":"184880","title":"Debian Security Update for c-ares (CVE-2023-31130)"},{"cve":"CVE-2023-31130","qid":"199418","title":"Ubuntu Security Notification for c-ares Vulnerabilities (USN-6164-1)"},{"cve":"CVE-2023-31130","qid":"241702","title":"Red Hat Update for nodejs:18 (RHSA-2023:3577)"},{"cve":"CVE-2023-31130","qid":"241724","title":"Red Hat Update for nodejs (RHSA-2023:3586)"},{"cve":"CVE-2023-31130","qid":"241786","title":"Red Hat Update for rh-nodejs14-nodejs (RHSA-2023:4039)"},{"cve":"CVE-2023-31130","qid":"241787","title":"Red Hat Update for nodejs (RHSA-2023:4036)"},{"cve":"CVE-2023-31130","qid":"241788","title":"Red Hat Update for nodejs:18 (RHSA-2023:4035)"},{"cve":"CVE-2023-31130","qid":"241790","title":"Red Hat Update for nodejs:16 (RHSA-2023:4033)"},{"cve":"CVE-2023-31130","qid":"241792","title":"Red Hat Update for nodejs:16 (RHSA-2023:4034)"},{"cve":"CVE-2023-31130","qid":"242322","title":"Red Hat Update for c-ares security (RHSA-2023:6635)"},{"cve":"CVE-2023-31130","qid":"242447","title":"Red Hat Update for c-ares (RHSA-2023:7207)"},{"cve":"CVE-2023-31130","qid":"242524","title":"Red Hat Update for c-ares (RHSA-2023:7543)"},{"cve":"CVE-2023-31130","qid":"242613","title":"Red Hat Update for c-ares (RHSA-2023:7392)"},{"cve":"CVE-2023-31130","qid":"284001","title":"Fedora Security Update for c (FEDORA-2023-ae97529c00)"},{"cve":"CVE-2023-31130","qid":"284101","title":"Fedora Security Update for c (FEDORA-2023-520848815b)"},{"cve":"CVE-2023-31130","qid":"355414","title":"Amazon Linux Security Advisory for c-ares : ALAS2023-2023-198"},{"cve":"CVE-2023-31130","qid":"356117","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2023-2023-344"},{"cve":"CVE-2023-31130","qid":"356246","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALASECS-2023-007"},{"cve":"CVE-2023-31130","qid":"356504","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2ECS-2023-007"},{"cve":"CVE-2023-31130","qid":"6000134","title":"Debian Security Update for c-ares (DLA 3471-1)"},{"cve":"CVE-2023-31130","qid":"673270","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2575)"},{"cve":"CVE-2023-31130","qid":"673319","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2605)"},{"cve":"CVE-2023-31130","qid":"673368","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2634)"},{"cve":"CVE-2023-31130","qid":"673401","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2676)"},{"cve":"CVE-2023-31130","qid":"673706","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-3115)"},{"cve":"CVE-2023-31130","qid":"673890","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2780)"},{"cve":"CVE-2023-31130","qid":"674117","title":"EulerOS Security Update for c-ares (EulerOS-SA-2023-2804)"},{"cve":"CVE-2023-31130","qid":"710769","title":"Gentoo Linux c-ares Multiple Vulnerabilities (GLSA 202310-09)"},{"cve":"CVE-2023-31130","qid":"754046","title":"SUSE Enterprise Linux Security Update for c-ares (SUSE-SU-2023:2313-1)"},{"cve":"CVE-2023-31130","qid":"754083","title":"SUSE Enterprise Linux Security Update for libcares2 (SUSE-SU-2023:2477-1)"},{"cve":"CVE-2023-31130","qid":"754181","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2023:2861-1)"},{"cve":"CVE-2023-31130","qid":"906990","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for c-ares (26914-1)"},{"cve":"CVE-2023-31130","qid":"907013","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for c-ares (26892-1)"},{"cve":"CVE-2023-31130","qid":"907091","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs (26938-1)"},{"cve":"CVE-2023-31130","qid":"907299","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nodejs18 (26940-1)"},{"cve":"CVE-2023-31130","qid":"907580","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for fluent-bit (26917-1)"},{"cve":"CVE-2023-31130","qid":"941145","title":"AlmaLinux Security Update for nodejs (ALSA-2023:3586)"},{"cve":"CVE-2023-31130","qid":"941153","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:3577)"},{"cve":"CVE-2023-31130","qid":"941168","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2023:4034)"},{"cve":"CVE-2023-31130","qid":"941169","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2023:4035)"},{"cve":"CVE-2023-31130","qid":"941381","title":"AlmaLinux Security Update for c-ares (ALSA-2023:6635)"},{"cve":"CVE-2023-31130","qid":"941455","title":"AlmaLinux Security Update for c-ares (ALSA-2023:7207)"},{"cve":"CVE-2023-31130","qid":"960945","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2023:3577)"},{"cve":"CVE-2023-31130","qid":"961083","title":"Rocky Linux Security Update for c-ares (RLSA-2023:7207)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-31130","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular \"0::00:00:00/2\" was found to cause an issue.  C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-124: Buffer Underwrite ('Buffer Underflow')","cweId":"CWE-124"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"c-ares","product":{"product_data":[{"product_name":"c-ares","version":{"version_data":[{"version_affected":"=","version_value":"< 1.19.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v","refsource":"MISC","name":"https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v"},{"url":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1","refsource":"MISC","name":"https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/"},{"url":"https://www.debian.org/security/2023/dsa-5419","refsource":"MISC","name":"https://www.debian.org/security/2023/dsa-5419"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/06/msg00034.html"},{"url":"https://security.gentoo.org/glsa/202310-09","refsource":"MISC","name":"https://security.gentoo.org/glsa/202310-09"}]},"source":{"advisory":"GHSA-x6mf-cxr9-8q6v","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":4.1,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-05-25 22:15:00","lastModifiedDate":"2023-10-31 16:06:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":6.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":0.5,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}