CVE-2023-39914Improper Handling of Undefined Values in Labs Bcder

CWE-232Improper Handling of Undefined ValuesCWE-240Improper Handling of Inconsistent Structural ElementsCWE-228Improper Handling of Syntactically Invalid Structure11 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 52.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Nlnet Labs BcderNlnet Labs RoutinatorNlnetlabs Bcder+1 more
Timeline
PublishedSep 13
Latest updateDec 4

Description

NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDnlnetlabs/bcder< 0.7.3
crates.ionlnetlabs/bcder0.0.0-00.7.3+1
CVEListV5nlnet_labs/bcder*0.7.3
NVDnlnetlabs/routinator< 0.12.2
CVEListV5nlnet_labs/routinator*0.12.2

🔴Vulnerability Details

7
CVEList
BER/CER/DER decoder panics on invalid input2023-09-13
GHSA
BER/CER/DER decoder panics on invalid input2023-09-13
GHSA
GHSA-xhpp-8gq6-3hf5: NLnet Labs’ Routinator up to and including version 02023-09-13
OSV
BER/CER/DER decoder panics on invalid input2023-09-13
OSV
BER/CER/DER decoder panics on invalid input2023-09-13

📋Vendor Advisories

1
Debian
CVE-2023-39914: rust-bcder - NLnet Labs' bcder library up to and including version 0.7.2 panics while decodin...2023

📄Research Papers

1
arXiv
The CURE To Vulnerabilities in RPKI Validation2023-12-04