Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02am13LTZteHctdzRqY84AA12e
BER/CER/DER decoder panics on invalid input
NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
Permalink: https://github.com/advisories/GHSA-6jmw-6mxw-w4jcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02am13LTZteHctdzRqY84AA12e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-6jmw-6mxw-w4jc, CVE-2023-39914
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39914
- https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt
- https://github.com/NLnetLabs/bcder/commit/4da91c3fd853e3d466d8581cf1d82b7f3255de56
- https://rustsec.org/advisories/RUSTSEC-2023-0062.html
- https://github.com/advisories/GHSA-6jmw-6mxw-w4jc
Blast Radius: 15.3
Affected Packages
cargo:bcder
Dependent packages: 13Dependent repositories: 109
Downloads: 764,614 total
Affected Version Ranges: < 0.7.3
Fixed in: 0.7.3
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2
All unaffected versions: 0.7.3, 0.7.4