CVE-2024-39697 - OpenCVE

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203
https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407
https://github.com/whisperfish/rust-phonenumber/issues/69
https://github.com/whisperfish/rust-phonenumber/pull/52
https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-09T14:16:38.493Z

Updated: 2024-08-02T04:26:16.016Z

Reserved: 2024-06-27T18:44:13.037Z

Link: CVE-2024-39697

Vulnrichment

Updated: 2024-08-02T04:26:16.016Z

NVD

Status : Awaiting Analysis

Published: 2024-07-09T15:15:11.290

Modified: 2024-07-09T18:19:14.047

Link: CVE-2024-39697

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39697", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.037Z", "datePublished": "2024-07-09T14:16:38.493Z", "dateUpdated": "2024-08-02T04:26:16.016Z"}, "containers": {"cna": {"title": "phonenumber panics on parsing crafted phonenumber inputs", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-392", "lang": "en", "description": "CWE-392: Missing Report of Error Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1284", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"}, {"name": "https://github.com/whisperfish/rust-phonenumber/issues/69", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/issues/69"}, {"name": "https://github.com/whisperfish/rust-phonenumber/pull/52", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/pull/52"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "tags": ["x_refsource_MISC"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"}], "affected": [{"vendor": "whisperfish", "product": "rust-phonenumber", "versions": [{"version": ">= 0.3.4, < 0.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-09T14:16:38.493Z"}, "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6."}], "source": {"advisory": "GHSA-mjw4-jj88-v687", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "whisperfish", "product": "phonenumber", "cpes": ["cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.3.4", "status": "affected", "lessThan": "0.3.6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T21:32:25.872927Z", "id": "CVE-2024-39697", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T21:33:39.716Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.016Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"}, {"name": "https://github.com/whisperfish/rust-phonenumber/issues/69", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/issues/69"}, {"name": "https://github.com/whisperfish/rust-phonenumber/pull/52", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/pull/52"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"}, {"name": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/issues/69", "name": "https://github.com/whisperfish/rust-phonenumber/issues/69", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/pull/52", "name": "https://github.com/whisperfish/rust-phonenumber/pull/52", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "name": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "name": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:16.016Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39697", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-15T21:32:25.872927Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:whisperfish:phonenumber:*:*:*:*:*:rust:*:*"], "vendor": "whisperfish", "product": "phonenumber", "versions": [{"status": "affected", "version": "0.3.4", "lessThan": "0.3.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T21:33:35.619Z"}}], "cna": {"title": "phonenumber panics on parsing crafted phonenumber inputs", "source": {"advisory": "GHSA-mjw4-jj88-v687", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "whisperfish", "product": "rust-phonenumber", "versions": [{"status": "affected", "version": ">= 0.3.4, < 0.3.6"}]}], "references": [{"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/issues/69", "name": "https://github.com/whisperfish/rust-phonenumber/issues/69", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/pull/52", "name": "https://github.com/whisperfish/rust-phonenumber/pull/52", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "name": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "name": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-392", "description": "CWE-392: Missing Report of Error Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284: Improper Validation of Specified Quantity in Input"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617: Reachable Assertion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-09T14:16:38.493Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39697", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:26:16.016Z", "dateReserved": "2024-06-27T18:44:13.037Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-09T14:16:38.493Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6."}, {"lang": "es", "value": "phonenumber es una librer\u00eda para analizar, formatear y validar n\u00fameros de tel\u00e9fono internacionales. Desde 0.3.4, el c\u00f3digo de an\u00e1lisis del n\u00famero de tel\u00e9fono puede entrar en p\u00e1nico debido a un acceso fuera de los l\u00edmites protegido contra p\u00e1nico en la cadena del n\u00famero de tel\u00e9fono. En una implementaci\u00f3n t\u00edpica de Rust-phonenumber, esto puede desencadenarse al alimentar un n\u00famero de tel\u00e9fono creado con fines malintencionados, por ejemplo, a trav\u00e9s de la red, espec\u00edficamente cadenas del formato `+dwPAA;phone-context=AA`, donde la parte \"number\" potencialmente se analiza como un n\u00famero mayor que 2^56. Esta vulnerabilidad se solucion\u00f3 en 0.3.6."}], "id": "CVE-2024-39697", "lastModified": "2024-07-09T18:19:14.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-09T15:15:11.290", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"}, {"source": "security-advisories@github.com", "url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"}, {"source": "security-advisories@github.com", "url": "https://github.com/whisperfish/rust-phonenumber/issues/69"}, {"source": "security-advisories@github.com", "url": "https://github.com/whisperfish/rust-phonenumber/pull/52"}, {"source": "security-advisories@github.com", "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-392"}, {"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Secondary"}]}