CVE-2022-4904

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Published: Mar 7, 2023
Updated: Apr 14, 2023
CVE: CVE-2022-4904
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.6
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWEs:

CWE-20
CWE-1284

Affected Software
References

Software	From	Fixed in
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux	9.0	9.0.x
fedoraproject / fedora	36	36.x
c-ares_project / c-ares	-	1.19.0

https://bugzilla.redhat.com/show_bug.cgi?id=2168631
https://github.com/c-ares/c-ares/issues/496
https://lists.fedoraproject.org/archives/list/[email protected]/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/
https://security.gentoo.org/glsa/202401-02

Vulnerability Database

289,599

CVE-2022-4904