CVE-2024-53856 – pgp
Package
Manager: cargo
Name: pgp
Vulnerable Version: >=0 <0.14.1
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS: 0.00066 pctl0.20709
Details
rPGP Panics on Malformed Untrusted Input During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data. ### Impact When processing malformed input, `rpgp` can run into Rust panics which halt the program. This can happen in the following scenarios: * Parsing OpenPGP messages from binary or armor format * Decrypting OpenPGP messages via `decrypt_with_password()` * Parsing or converting public keys * Parsing signed cleartext messages from armor format * Using malformed private keys to sign or encrypt Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge. The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties. ### Versions and Patches All recent versions are affected by at least some of the above mentioned issues. The vulnerabilities have been fixed with version `0.14.1`. We recommend all users to upgrade to this version. ### References The security audit was made possible by the [NLnet Foundation NGI Zero Core](https://nlnet.nl/core/) grant program [for rpgp](https://nlnet.nl/project/rPGP-cryptorefresh/).
Metadata
Created: 2024-12-05T17:30:52Z
Modified: 2024-12-05T19:05:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-9rmp-2568-59rv/GHSA-9rmp-2568-59rv.json
CWE IDs: ["CWE-130", "CWE-248", "CWE-617"]
Alternative ID: GHSA-9rmp-2568-59rv
Finding: F052
Auto approve: 1