Vulnerability Details CVE-2023-42444
phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 67.0%
CVSS Severity
CVSS v3 Score 8.6
References
- https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6
- https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71
- https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2
- https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6
- https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71
- https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2
Products affected by CVE-2023-42444
-
cpe:2.3:a:whisperfish:phonenumber:0.1.0+8.7.0
-
cpe:2.3:a:whisperfish:phonenumber:0.2.0+8.9.0
-
cpe:2.3:a:whisperfish:phonenumber:0.2.1+8.9.0
-
cpe:2.3:a:whisperfish:phonenumber:0.2.3+8.10.6
-
cpe:2.3:a:whisperfish:phonenumber:0.2.4+8.11.3
-
cpe:2.3:a:whisperfish:phonenumber:0.3.0+8.12.9
-
cpe:2.3:a:whisperfish:phonenumber:0.3.1+8.12.9
-
cpe:2.3:a:whisperfish:phonenumber:0.3.2+8.13.9