CVE-2024-39697

EPSS 0.2%
Published 09.07.2024 15:15:11
Last modified 21.11.2024 09:28:14
Source security-advisories@github.com
Teams watchlist Login
Open Login

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.

Affected products Warnungen 0 Metrics 2 CWE 4 References 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorwhisperfish

≫

Product phonenumber

Default Statusunknown

Version < 0.3.6

Version 0.3.4

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.416

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-392 Missing Report of Error Condition

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203

https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407

https://github.com/whisperfish/rust-phonenumber/issues/69

https://github.com/whisperfish/rust-phonenumber/pull/52

https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

https://nvd.nist.gov/vuln/detail/CVE-2024-39697

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39697

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39697

EUVD