CVE-2022-4904

Public on 2023-02-22
Modified on 2024-02-10
Description

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

Severity
Medium
See what this means
CVSS v3 Base Score
8.6
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 c-ares 2023-07-19 ALAS-2023-1780
Amazon Linux 2 - Core c-ares 2024-01-09 ALAS2-2024-2399
Amazon Linux 2023 c-ares 2023-06-07 ALAS2023-2023-198
Amazon Linux 2023 nodejs 2023-07-19 ALAS2023-2023-243

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
NVD CVSSv3 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H