CVE-2023-38470 - Vulnerability Details - OpenCVE

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avahi	Avahi
Redhat	Enterprise Linux Rhel Eus

Configuration 1 [-]

cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
avahi-0:0.7-21.el8_9.1	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:7836	2023-12-14T00:00:00Z
avahi-0:0.7-21.el8_9.1	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:7836	2023-12-14T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
avahi-0:0.7-20.el8_6.3	cpe:/a:redhat:rhel_eus:8.6	RHSA-2024:0418	2024-01-25T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
avahi-0:0.7-20.el8_8.4	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:0576	2024-01-30T00:00:00Z
Red Hat Enterprise Linux 9
avahi-0:0.8-20.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:2433	2024-04-30T00:00:00Z
avahi-0:0.8-20.el9	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:2433	2024-04-30T00:00:00Z

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-38470
https://bugzilla.redhat.com/show_bug.cgi?id=2191690
https://nvd.nist.gov/vuln/detail/CVE-2023-38470
https://www.cve.org/CVERecord?id=CVE-2023-38470

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-11-02T14:57:28.872Z

Updated: 2024-08-29T14:21:01.506Z

Reserved: 2023-07-18T09:48:04.752Z

Link: CVE-2023-38470

Vulnrichment

Updated: 2024-08-02T17:39:13.623Z

NVD

Status : Modified

Published: 2023-11-02T15:15:08.237

Modified: 2024-11-21T08:13:38.703

Link: CVE-2023-38470

Redhat

Severity : Moderate

Publid Date: 2023-04-26T00:00:00Z

Links: CVE-2023-38470 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38470", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-07-18T09:48:04.752Z", "datePublished": "2023-11-02T14:57:28.872Z", "dateUpdated": "2024-08-29T14:21:01.506Z"}, "containers": {"cna": {"title": "Reachable assertion in avahi_escape_label", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function."}], "affected": [{"product": "avahi", "vendor": "n/a", "defaultStatus": "affected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "avahi", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "avahi", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "avahi", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "avahi", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "avahi", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-38470", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690", "name": "RHBZ#2191690", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-04-26T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "Reachable Assertion", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-617: Reachable Assertion", "timeline": [{"lang": "en", "time": "2023-04-26T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-04-26T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-11-02T14:57:28.872Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:39:13.623Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-38470", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690", "name": "RHBZ#2191690", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T13:54:46.019977Z", "id": "CVE-2023-38470", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:21:01.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-38470", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690", "name": "RHBZ#2191690", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:39:13.623Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38470", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T13:54:46.019977Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:20:55.420Z"}}], "cna": {"title": "Reachable assertion in avahi_escape_label", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "avahi", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "avahi", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "avahi", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "avahi", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "avahi", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"vendor": "Fedora", "product": "Fedora", "packageName": "avahi", "collectionURL": "https://packages.fedoraproject.org/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-04-26T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-04-26T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-04-26T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-38470", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690", "name": "RHBZ#2191690", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "Reachable Assertion"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-11-02T14:57:28.872Z"}, "x_redhatCweChain": "CWE-617: Reachable Assertion"}}, "cveMetadata": {"cveId": "CVE-2023-38470", "state": "PUBLISHED", "dateUpdated": "2024-08-29T14:21:01.506Z", "dateReserved": "2023-07-18T09:48:04.752Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-11-02T14:57:28.872Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avahi:avahi:*:*:*:*:*:*:*:*", "matchCriteriaId": "6481267F-934F-4A0C-9B25-59738E798458", "versionEndExcluding": "0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Avahi. Existe una afirmaci\u00f3n alcanzable en la funci\u00f3n avahi_escape_label()."}], "id": "CVE-2023-38470", "lastModified": "2024-11-21T08:13:38.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-02T15:15:08.237", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-38470"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-38470"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7836", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "avahi-0:0.7-21.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2023:7836", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "avahi-0:0.7-21.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-12-14T00:00:00Z"}, {"advisory": "RHSA-2024:0418", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "avahi-0:0.7-20.el8_6.3", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0576", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "avahi-0:0.7-20.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2024:2433", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "avahi-0:0.8-20.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2433", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "avahi-0:0.8-20.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}], "bugzilla": {"description": "avahi: Reachable assertion in avahi_escape_label", "id": "2191690", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191690"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-617", "details": ["A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.", "A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function."], "name": "CVE-2023-38470", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "avahi", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-04-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38470\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38470"], "threat_severity": "Moderate"}