CVE-2024-53856
published 2024-12-05CVE-2024-53856: rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.45%
35.7th percentile
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rust-pgp | < rust-pgp 0.14.2-1 (forky) | rust-pgp 0.14.2-1 (forky) |
| pgp | pgp | >= 0 < 0.14.1 | 0.14.1 |
| pgp | pgp | >= 0.0.0-0 < 0.14.1 | 0.14.1 |
| rpgp | rpgp | < 0.14.1 | 0.14.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-53856: rPGP is a pure Rust implementation of OpenPGP
osv·2024-12-05·CVSS 7.5
CVE-2024-53856 [HIGH] CVE-2024-53856: rPGP is a pure Rust implementation of OpenPGP
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.
GHSA
rPGP Panics on Malformed Untrusted Input
ghsa·2024-12-05
CVE-2024-53856 [HIGH] CWE-130 rPGP Panics on Malformed Untrusted Input
rPGP Panics on Malformed Untrusted Input
During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data.
### Impact
When processing malformed input, `rpgp` can run into Rust panics which halt the program.
This can happen in the following scenarios:
* Parsing OpenPGP messages from binary or armor format
* Decrypting OpenPGP messages via `decrypt_with_password()`
* Parsing or converting public keys
* Parsing signed cleartext messages from armor format
* Using malformed private keys to sign or encrypt
Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. T
OSV
rPGP Panics on Malformed Untrusted Input
osv·2024-12-05
CVE-2024-53856 [HIGH] rPGP Panics on Malformed Untrusted Input
rPGP Panics on Malformed Untrusted Input
During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data.
### Impact
When processing malformed input, `rpgp` can run into Rust panics which halt the program.
This can happen in the following scenarios:
* Parsing OpenPGP messages from binary or armor format
* Decrypting OpenPGP messages via `decrypt_with_password()`
* Parsing or converting public keys
* Parsing signed cleartext messages from armor format
* Using malformed private keys to sign or encrypt
Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. T
OSV
Panics on Malformed Untrusted Input
osv·2024-12-05
CVE-2024-53856 Panics on Malformed Untrusted Input
Panics on Malformed Untrusted Input
During a security audit, Radically Open Security discovered
several reachable edge cases which allow an attacker to
trigger rpgp crashes by providing crafted data.
## Impact
When processing malformed input, rpgp can run into Rust panics which halt
the program.
This can happen in the following scenarios:
* Parsing OpenPGP messages from binary or armor format
* Decrypting OpenPGP messages via decrypt_with_password()
* Parsing or converting public keys
* Parsing signed cleartext messages from armor format
* Using malformed private keys to sign or encrypt
Given the affected components, we consider most attack vectors to be
reachable by remote attackers during typical use cases of the rpgp
library. The attack complexity is low since the malformed messag
Debian
CVE-2024-53856: rust-pgp - rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an a...
vendor_debian·2024·CVSS 7.5
CVE-2024-53856 [HIGH] CVE-2024-53856: rust-pgp - rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an a...
rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.
Scope: local
forky: resolved (fixed in 0.14.2-1)
sid: resolved (fixed in 0.14.2-1)
trixie: resolved (fixed in 0.14.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-05
Published