Reported

July 7, 2024

Issued

September 5, 2024

Package

phonenumber (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#panic #untrusted-input #parsing

Aliases

• CVE-2024-39697
• GHSA-mjw4-jj88-v687

References

• https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39697

CVSS Score

8.6 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Patched

• >=0.3.6

Unaffected

• <0.3.3

Affected Functions

Version

phonenumber::parse

• *

Description

Impact

The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.

Since f69abee1/0.3.4/#52.

0.2.x series is not affected.

Patches

Patches have been published as version 0.3.6+8.13.36.

Advisory available under CC0-1.0 license.