RUSTSEC-2023-0062

BER/CER/DER decoder panics on invalid input

Reported

September 13, 2023

Issued

September 13, 2023

Package

bcder (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#example #freeform #keywords

Aliases

CVE-2023-39914

References

https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt
https://github.com/NLnetLabs/bcder/pull/74

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.7.3

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to bcder panicking rather than returning an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

bcder 0.7.3 fixes these issues by more thoroughly checking inputs and returning errors as expected.

Advisory available under CC0-1.0 license.