THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39697

phonenumber panics on parsing crafted phonenumber inputs

AssignerGitHub_M
Reserved2024-06-27
Published2024-07-09
Updated2024-07-15

Description

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.



HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Problem types

CWE-284: Improper Access Control

CWE-392: Missing Report of Error Condition

CWE-1284: Improper Validation of Specified Quantity in Input

CWE-617: Reachable Assertion

Product status

>= 0.3.4, < 0.3.6
affected

References

https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

https://github.com/whisperfish/rust-phonenumber/issues/69

https://github.com/whisperfish/rust-phonenumber/pull/52

https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203

https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407

cve.org CVE-2024-39697

nvd.nist.gov CVE-2024-39697

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39697
© Copyright 2024 THREATINT. Made in Cyprus with +