Vulnerabilities > CVE-2023-42444 - Improper Validation of Specified Quantity in Input vulnerability in Whisperfish Phonenumber

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

whisperfish

CWE-1284

NVD

Published: 2023-09-19

Updated: 2023-09-22

Summary

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.

Vulnerable Configurations

Part	Description	Count
Application	Whisperfish Whisperfish Phonenumber 0.1.0\+8.7.0 Whisperfish Phonenumber 0.2.0\+8.9.0 Whisperfish Phonenumber 0.2.1\+8.9.0 Whisperfish Phonenumber 0.2.3\+8.10.6 Whisperfish Phonenumber 0.2.4\+8.11.3 Whisperfish Phonenumber 0.3.0\+8.12.9 Whisperfish Phonenumber 0.3.1\+8.12.9 Whisperfish Phonenumber 0.3.2\+8.13.9	8

Common Weakness Enumeration (CWE)

CWE-1284 - Improper Validation of Specified Quantity in Input

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References