CVE-2023-39914: BER/CER/DER decoder panics on invalid input

September 13, 2023 (updated September 11, 2024)

NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

References

github.com/NLnetLabs/bcder
github.com/NLnetLabs/bcder/commit/4da91c3fd853e3d466d8581cf1d82b7f3255de56
github.com/advisories/GHSA-6jmw-6mxw-w4jc
nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt
nvd.nist.gov/vuln/detail/CVE-2023-39914
rustsec.org/advisories/RUSTSEC-2023-0062.html

Code Behaviors & Features

Detect and mitigate CVE-2023-39914 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →