CVE-2023-42444 : phonenumber is a library for parsing, formatting and validating international ph

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.

Published 2023-09-19 15:15:57

Updated 2023-09-22 19:22:42

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2023-42444

Whisperfish » Phonenumber » For Rust
Versions from including (>=) 0.3.0\+8.12.9 and before (<) 0.3.3\+8.13.9
cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*
Matching versions
Whisperfish » Phonenumber » For Rust
Versions before (<) 0.2.5\+8.11.3
cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-42444

EPSS FAQ

0.55%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-42444

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H	3.9	4.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-42444

CWE-248 Uncaught Exception

An exception is thrown from a function, but it is not caught.

Assigned by: security-advisories@github.com (Secondary)
CWE-392 Missing Report of Error Condition

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

Assigned by: security-advisories@github.com (Secondary)
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2023-42444

https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2

panic on parsing crafted RF3966 phonenumber inputs · Advisory · whisperfish/rust-phonenumber · GitHub
Vendor Advisory
https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6

Fix panic on parsing crafted RF3966 phonenumber inputs · whisperfish/rust-phonenumber@2dd44be · GitHub
Patch
https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71

Merge branch 'advisory-fix-1' · whisperfish/rust-phonenumber@bea8e73 · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-42444

Products affected by CVE-2023-42444

Exploit prediction scoring system (EPSS) score for CVE-2023-42444

CVSS scores for CVE-2023-42444

CWE ids for CVE-2023-42444

References for CVE-2023-42444