CVE-2023-42444

Summary

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions 0.3.3+8.13.9 and 0.2.5+8.11.3, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=. Versions 0.3.3+8.13.9 and 0.2.5+8.11.3 contain a patch for this issue. There are no known workarounds.

Affected Software

VendorProductVersion RangeStatus
whisperfishrust-phonenumber< 0.2.5+8.11.3affected
whisperfishrust-phonenumber>= 0.3.0, < 0.3.3+8.3.19affected

Weaknesses

  • CWE-248: CWE-248: Uncaught Exception
  • CWE-392: CWE-392: Missing Report of Error Condition
  • CWE-1284: CWE-1284: Improper Validation of Specified Quantity in Input

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References