CVE-2024-39697 – phonenumber

Package

Manager: cargo
Name: phonenumber
Vulnerable Version: >=0.3.4 <0.3.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.00069 pctl0.21385

Details

panic on parsing crafted phonenumber inputs ### Impact The phonenumber parsing code may panic due to a reachable `assert!` guard on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. Since f69abee1/0.3.4/#52. 0.2.x series is not affected. ### Patches Upgrade to 0.3.6 or higher. ### Workarounds n/a ### References Whereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: `+dwPAA;phone-context=AA`.

Metadata

Created: 2024-07-09T14:13:48Z
Modified: 2024-11-18T16:26:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-mjw4-jj88-v687/GHSA-mjw4-jj88-v687.json
CWE IDs: ["CWE-1284", "CWE-248", "CWE-392"]
Alternative ID: GHSA-mjw4-jj88-v687
Finding: F184
Auto approve: 1