CVE-2024-53857 — Allocation of Resources Without Limits or Throttling in Rpgp

CWE-770 — Allocation of Resources Without Limits or Throttling5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rpgp PGP Debian Rust-pgp

Timeline

PublishedDec 5

Description

rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows attackers to trigger resource exhaustion vulnerabilities in rpgp by providing crafted messages. This affects general message parsing and decryption with symmetric keys.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5rpgp/rpgp< 0.14.1

▶debiandebian/rust-pgp< rust-pgp 0.14.2-1 (forky)

▶crates.iopgp/pgp< 0.14.2

🔴Vulnerability Details

GHSA

rPGP Potential Resource Exhaustion when handling Untrusted Messages↗2024-12-05

▶

OSV

CVE-2024-53857: rPGP is a pure Rust implementation of OpenPGP↗2024-12-05

▶

OSV

rPGP Potential Resource Exhaustion when handling Untrusted Messages↗2024-12-05

▶

📋Vendor Advisories

Debian

CVE-2024-53857: rust-pgp - rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows atta...↗2024

▶