CVE-2024-25629 — MEDIUM (4.4)

Q: How severe is CVE-2024-25629?

CVE-2024-25629 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-25629?

Check the references section above for vendor advisories and patch information. Affected products include: C-Ares C-Ares, Fedoraproject Fedora.

Vulnerability Description

c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
C-Ares	C-Ares	< 1.27.0
Fedoraproject	Fedora	38

Related Weaknesses (CWE)

CWE-125 CWE-127

References

https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183Patch
https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48qVendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183Patch
https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48qVendor Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List

FAQ

What is CVE-2024-25629?

CVE-2024-25629 is a vulnerability with a CVSS score of 4.4 (MEDIUM). c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if usi...

How severe is CVE-2024-25629?

CVE-2024-25629 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-25629?

Check the references section above for vendor advisories and patch information. Affected products include: C-Ares C-Ares, Fedoraproject Fedora.