CVE-2024-39697

EPSS 0.71%
Veröffentlicht 09.07.2024 15:15:11
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

phonenumber panics on parsing crafted phonenumber inputs

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 4 Referenzen 8

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerwhisperfish

≫

Produkt phonenumber

Default Statusunknown

Version 0.3.4

Version < 0.3.6

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.71%	0.487

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-392 Missing Report of Error Condition

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203

https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407

https://github.com/whisperfish/rust-phonenumber/issues/69

https://github.com/whisperfish/rust-phonenumber/pull/52

https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

https://nvd.nist.gov/vuln/detail/CVE-2024-39697

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-39697

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-39697

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-39697