CVE-2023-42444 - OpenCVE

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Whisperfish	Phonenumber

Configuration 1 [-]

OR	cpe:2.3:a:whisperfish:phonenumber::::::rust::*
	cpe:2.3:a:whisperfish:phonenumber::::::rust::*

No data.

References

Link	Providers
https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6
https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71
https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2

History

Tue, 24 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-19T14:47:22.026Z

Updated: 2024-09-24T20:46:54.422Z

Reserved: 2023-09-08T20:57:45.572Z

Link: CVE-2023-42444

Vulnrichment

Updated: 2024-08-02T19:23:38.765Z

NVD

Status : Analyzed

Published: 2023-09-19T15:15:56.660

Modified: 2023-09-22T19:22:42.097

Link: CVE-2023-42444

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42444", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-08T20:57:45.572Z", "datePublished": "2023-09-19T14:47:22.026Z", "dateUpdated": "2024-09-24T20:46:54.422Z"}, "containers": {"cna": {"title": "phonenumber panics on parsing crafted RF3966 inputs", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-392", "lang": "en", "description": "CWE-392: Missing Report of Error Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1284", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"}], "affected": [{"vendor": "whisperfish", "product": "rust-phonenumber", "versions": [{"version": "< 0.2.5+8.11.3", "status": "affected"}, {"version": ">= 0.3.0, < 0.3.3+8.3.19", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-19T14:47:22.026Z"}, "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."}], "source": {"advisory": "GHSA-whhr-7f2w-qqj2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:38.765Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-24T20:46:29.902328Z", "id": "CVE-2023-42444", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T20:46:54.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:23:38.765Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42444", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-24T20:46:29.902328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-24T20:46:50.769Z"}}], "cna": {"title": "phonenumber panics on parsing crafted RF3966 inputs", "source": {"advisory": "GHSA-whhr-7f2w-qqj2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "whisperfish", "product": "rust-phonenumber", "versions": [{"status": "affected", "version": "< 0.2.5+8.11.3"}, {"status": "affected", "version": ">= 0.3.0, < 0.3.3+8.3.19"}]}], "references": [{"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-392", "description": "CWE-392: Missing Report of Error Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284: Improper Validation of Specified Quantity in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-19T14:47:22.026Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42444", "state": "PUBLISHED", "dateUpdated": "2024-09-24T20:46:54.422Z", "dateReserved": "2023-09-08T20:57:45.572Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-19T14:47:22.026Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*", "matchCriteriaId": "43C3C6E2-A892-4A2B-BABF-1792410DA003", "versionEndExcluding": "0.2.5\\+8.11.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*", "matchCriteriaId": "2472D45E-43EB-480B-B550-66DC11713F8F", "versionEndExcluding": "0.3.3\\+8.13.9", "versionStartIncluding": "0.3.0\\+8.12.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."}, {"lang": "es", "value": "Phonenumber es una librer\u00eda para analizar, formatear y validar n\u00fameros de tel\u00e9fono internacionales. Antes de las versiones `0.3.3+8.13.9` y `0.2.5+8.11.3`, el c\u00f3digo parseado de phonenumber pod\u00eda entrar en p\u00e1nico debido a un acceso fuera de los l\u00edmites protegido contra el p\u00e1nico en la cadena phonenumber. En una implementaci\u00f3n t\u00edpica de `rust-phonenumber`, esto puede desencadenarse al introducir un phonenumber creado con fines malintencionados a trav\u00e9s de la red, espec\u00edficamente la cadena `.;phone-context=`. Las versiones `0.3.3+8.13.9` y `0.2.5+8.11.3` contienen un parche para este problema. No se conocen workarounds."}], "id": "CVE-2023-42444", "lastModified": "2023-09-22T19:22:42.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-19T15:15:56.660", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1284"}, {"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-392"}], "source": "security-advisories@github.com", "type": "Secondary"}]}