CVE-2023-42444: phonenumber panics on parsing crafted RFC3966 inputs
(updated )
The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=.
References
- github.com/advisories/GHSA-whhr-7f2w-qqj2
- github.com/whisperfish/rust-phonenumber
- github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6
- github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71
- github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2
- nvd.nist.gov/vuln/detail/CVE-2023-42444
Code Behaviors & Features
Detect and mitigate CVE-2023-42444 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →