GitHub Advisory DatabaseGHSA-WHHR-7F2W-QQJ2phonenumber panics on parsing crafted RFC3966 inputs
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
20.2%
Impact
The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=.
Patches
Patches will be published as version 0.3.3+8.13.9 and backported as 0.2.5+8.11.3.
Workarounds
n.a.
References
n.a.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| phonenumber | lt | 0.3.3 | |
| phonenumber | lt | 0.2.5 |
References
github.com/advisories/GHSA-whhr-7f2w-qqj2
github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6
github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71
github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2
nvd.nist.gov/vuln/detail/CVE-2023-42444
Related
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
20.2%