CVE-2023-42444 - OpenCVE

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Whisperfish	Phonenumber

Configuration 1 [-]

OR	cpe:2.3:a:whisperfish:phonenumber::::::rust::*
	cpe:2.3:a:whisperfish:phonenumber::::::rust::*

References

Link	Resource
https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6	Patch
https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71	Patch
https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-19T14:47:22.026Z

Updated: 2023-09-19T14:47:22.026Z

Reserved: 2023-09-08T20:57:45.572Z

Link: CVE-2023-42444

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-19T15:15:56.660

Modified: 2023-09-22T19:22:42.097

Link: CVE-2023-42444

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-42444", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-08T20:57:45.572Z", "datePublished": "2023-09-19T14:47:22.026Z", "dateUpdated": "2023-09-19T14:47:22.026Z"}, "containers": {"cna": {"title": "phonenumber panics on parsing crafted RF3966 inputs", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-392", "lang": "en", "description": "CWE-392: Missing Report of Error Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1284", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"}], "affected": [{"vendor": "whisperfish", "product": "rust-phonenumber", "versions": [{"version": "< 0.2.5+8.11.3", "status": "affected"}, {"version": ">= 0.3.0, < 0.3.3+8.3.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-19T14:47:22.026Z"}, "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."}], "source": {"advisory": "GHSA-whhr-7f2w-qqj2", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*", "matchCriteriaId": "43C3C6E2-A892-4A2B-BABF-1792410DA003", "versionEndExcluding": "0.2.5\\+8.11.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2472D45E-43EB-480B-B550-66DC11713F8F", "versionEndExcluding": "0.3.3\\+8.13.9", "versionStartIncluding": "0.3.0\\+8.12.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "Phonenumber es una librer\u00eda para analizar, formatear y validar n\u00fameros de tel\u00e9fono internacionales. Antes de las versiones `0.3.3+8.13.9` y `0.2.5+8.11.3`, el c\u00f3digo parseado de phonenumber pod\u00eda entrar en p\u00e1nico debido a un acceso fuera de los l\u00edmites protegido contra el p\u00e1nico en la cadena phonenumber. En una implementaci\u00f3n t\u00edpica de `rust-phonenumber`, esto puede desencadenarse al introducir un phonenumber creado con fines malintencionados a trav\u00e9s de la red, espec\u00edficamente la cadena `.;phone-context=`. Las versiones `0.3.3+8.13.9` y `0.2.5+8.11.3` contienen un parche para este problema. No se conocen workarounds."}], "id": "CVE-2023-42444", "lastModified": "2023-09-22T19:22:42.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-19T15:15:56.660", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1284"}, {"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-392"}], "source": "security-advisories@github.com", "type": "Secondary"}]}