Reported

September 13, 2023

Issued

September 13, 2023 (last modified: February 10, 2024)

Package

bcder (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#example #freeform #keywords

Aliases

• CVE-2023-39914
• GHSA-6jmw-6mxw-w4jc

References

• https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt
• https://github.com/NLnetLabs/bcder/pull/74

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.7.3

Description

Due to insufficient checking of input data, decoding certain data sequences can lead to bcder panicking rather than returning an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

bcder 0.7.3 fixes these issues by more thoroughly checking inputs and returning errors as expected.

Advisory available under CC0-1.0 license.