Lucene search

GoogleOSV:RUSTSEC-2024-0369

HistoryJul 07, 2024 - 12:00 p.m.

phonenumber: panic on parsing crafted phonenumber inputs

2024-07-0712:00:00

Google

osv.dev

phonenumber parsing

panic

assert guard

maliciously crafted

patch

software.

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

Confidence

Low

JSON

Impact

The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the “number” part potentially parses as a number larger than 2^56.

Since f69abee1/0.3.4/#52.

0.2.x series is not affected.

Patches

Patches have been published as version 0.3.6+8.13.36.

References

crates.io/crates/phonenumber

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39697

github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

rustsec.org/advisories/RUSTSEC-2024-0369.html

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

Confidence

Low

JSON

Related for OSV:RUSTSEC-2024-0369