CVE-2022-4904: Improper Input Validation

March 6, 2023 (updated January 5, 2024)

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

References

bugzilla.redhat.com/show_bug.cgi?id=2168631
github.com/c-ares/c-ares/issues/496
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/
nvd.nist.gov/vuln/detail/CVE-2022-4904

Detect and mitigate CVE-2022-4904 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →