Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS02am13LTZteHctdzRqY84AA12e

High EPSS: 0.00346% (0.56517 Percentile) EPSS:
Permalink JSON

BER/CER/DER decoder panics on invalid input

Affected Packages Affected Versions Fixed Versions
cargo:bcder < 0.7.3 0.7.3
13 Dependent packages
109 Dependent repositories
8,501,086 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2

All unaffected versions

0.7.3, 0.7.4, 0.7.5

NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

References:

Identifiers

GHSA-6jmw-6mxw-w4jc

CVE-2023-39914

Risk

Severity

High

EPSS

EPSS Percentage: 0.00346

EPSS Percentile: 0.56517

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/NLnetLabs/bcder

Date and time

Published

almost 2 years ago

Updated

11 months ago

API

JSON