Lucene search

GoogleOSV:GHSA-GPCV-P28P-FV2P

HistoryAug 03, 2023 - 4:35 p.m.

odoh-rs's Invalid Slice Split Results in Server Panic

2023-08-0316:35:20

Google

osv.dev

vulnerability

odoh-rs rust crate

server panic

encrypted queries

remote clients

server crash

service unavailability

update

patches

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.3%

JSON

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients.

Impact

An attacker with knowledge of this vulnerability could craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.

Patches

Users are encouraged to update their odoh-rs’s rust crate to v1.0.2.

References

github.com/cloudflare/odoh-rs

github.com/cloudflare/odoh-rs/commit/c1bc4ed71dcc9842b7dc1ea26f278f105074bbaa

github.com/cloudflare/odoh-rs/pull/28

github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p

nvd.nist.gov/vuln/detail/CVE-2023-3766

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.3%

JSON

Related for OSV:GHSA-GPCV-P28P-FV2P