Skip to content

panic on parsing crafted phonenumber inputs

High severity GitHub Reviewed Published Jul 9, 2024 in whisperfish/rust-phonenumber • Updated Jul 9, 2024

Package

cargo phonenumber (Rust)

Affected versions

>= 0.3.4, < 0.3.6

Patched versions

0.3.6

Description

Impact

The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.

Since f69abee1/0.3.4/#52.

0.2.x series is not affected.

Patches

Upgrade to 0.3.6 or higher.

Workarounds

n/a

References

Whereas whisperfish/rust-phonenumber#69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.

References

@rubdos rubdos published to whisperfish/rust-phonenumber Jul 9, 2024
Published to the GitHub Advisory Database Jul 9, 2024
Reviewed Jul 9, 2024
Published by the National Vulnerability Database Jul 9, 2024
Last updated Jul 9, 2024

Severity

High
8.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-39697

GHSA ID

GHSA-mjw4-jj88-v687

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.