RUSTSEC-2023-0062
BER/CER/DER decoder panics on invalid input
- Reported
- Issued
- Package
- bcder (crates.io)
- Type
- Vulnerability
- Categories
- Keywords
- #example #freeform #keywords
- Aliases
- References
- CVSS Score
- 7.5 HIGH
- CVSS Details
-
- Attack vector
- Network
- Attack complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- None
- Availability
- High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Patched
-
>=0.7.3
Description
Due to insufficient checking of input data, decoding certain data sequences can lead to bcder panicking rather than returning an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
bcder 0.7.3 fixes these issues by more thoroughly checking inputs and returning errors as expected.
Advisory available under CC0-1.0 license.