Lucene search

GoogleOSV:RUSTSEC-2023-0083

HistorySep 19, 2023 - 12:00 p.m.

blurhash: panic on parsing crafted blurhash inputs

2023-09-1912:00:00

Google

osv.dev

blurhash

parsing

panic

crafted inputs

network

utf-8

patches

version 0.2.0

user intervention

software

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS

0.001

Percentile

33.0%

JSON

Impact

The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.

In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:

UTF-8 compliant strings containing multi-byte UTF-8 characters

Patches

The patches were released under version 0.2.0, which may require user intervention because of slight API churn.

References

crates.io/crates/blurhash

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42447

github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2

rustsec.org/advisories/RUSTSEC-2023-0083.html

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS

0.001

Percentile

33.0%

JSON

Related for OSV:RUSTSEC-2023-0083