Vulnerabilites related to NLnet Labs - bcder
CVE-2023-39914 (GCVE-0-2023-39914)
Vulnerability from cvelistv5
Published
2023-09-13 14:17
Modified
2024-09-12 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NLnet Labs | bcder |
Version: * ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:18:10.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T13:22:23.054203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T13:22:36.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "bcder",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "0.7.3",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "0.7.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Haya Shulman"
},
{
"lang": "en",
"type": "finder",
"value": "Donika Mirdita"
},
{
"lang": "en",
"type": "finder",
"value": "Niklas Vogel"
}
],
"datePublic": "2023-09-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs\u0027 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-232",
"description": "CWE-232: Improper Handling of Undefined Values",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-240",
"description": "CWE-240: Improper Handling of Inconsistent Structural Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T15:34:05.255Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in 0.7.3 and all later versions."
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-19T18:00:00.000Z",
"value": "Issue reported by Haya Shulman"
},
{
"lang": "en",
"time": "2023-09-13T14:00:00.000Z",
"value": "Fixes released"
}
],
"title": "BER/CER/DER decoder panics on invalid input"
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2023-39914",
"datePublished": "2023-09-13T14:17:49.204Z",
"dateReserved": "2023-08-07T11:55:17.843Z",
"dateUpdated": "2024-09-12T13:22:36.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}