CVE-2023-39914 (GCVE-0-2023-39914)
Vulnerability from cvelistv5
Published
2023-09-13 14:17
Modified
2024-09-12 13:22
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-232 - Improper Handling of Undefined Values
  • CWE-240 - Improper Handling of Inconsistent Structural Elements
Summary
NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
References
Impacted products
Vendor Product Version
NLnet Labs bcder Version: *   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:18:10.086Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39914",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-12T13:22:23.054203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T13:22:36.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "bcder",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "0.7.3",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            },
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0.7.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Haya Shulman"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Donika Mirdita"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Niklas Vogel"
        }
      ],
      "datePublic": "2023-09-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs\u0027 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-232",
              "description": "CWE-232: Improper Handling of Undefined Values",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-240",
              "description": "CWE-240: Improper Handling of Inconsistent Structural Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-11T15:34:05.255Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in 0.7.3 and all later versions."
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-07-19T18:00:00.000Z",
          "value": "Issue reported by Haya Shulman"
        },
        {
          "lang": "en",
          "time": "2023-09-13T14:00:00.000Z",
          "value": "Fixes released"
        }
      ],
      "title": "BER/CER/DER decoder panics on invalid input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2023-39914",
    "datePublished": "2023-09-13T14:17:49.204Z",
    "dateReserved": "2023-08-07T11:55:17.843Z",
    "dateUpdated": "2024-09-12T13:22:36.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-39914\",\"sourceIdentifier\":\"sep@nlnetlabs.nl\",\"published\":\"2023-09-13T15:15:07.657\",\"lastModified\":\"2024-11-21T08:16:01.750\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NLnet Labs\u0027 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.\"},{\"lang\":\"es\",\"value\":\"La biblioteca bder de NLnet Labs hasta la versi\u00f3n 0.7.2 incluida entra en p\u00e1nico al decodificar ciertos datos de entrada no v\u00e1lidos en lugar de rechazar los datos con un error. Esto puede afectar tanto a la etapa de decodificaci\u00f3n real como al acceso a contenidos de tipos que utilizaron decodificaci\u00f3n retrasada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-232\"},{\"lang\":\"en\",\"value\":\"CWE-240\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nlnetlabs:bcder:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.7.3\",\"matchCriteriaId\":\"01667F69-EC35-4FDC-96BE-E633C2F494C4\"}]}]}],\"references\":[{\"url\":\"https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt\",\"source\":\"sep@nlnetlabs.nl\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-39914\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-12T13:22:23.054203Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2024-09-12T13:22:32.617Z\"}}], \"cna\": {\"title\": \"BER/CER/DER decoder panics on invalid input\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Haya Shulman\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Donika Mirdita\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Niklas Vogel\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"NLnet Labs\", \"product\": \"bcder\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"lessThan\": \"0.7.3\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"0.7.3\", \"lessThan\": \"*\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-07-19T18:00:00.000Z\", \"value\": \"Issue reported by Haya Shulman\"}, {\"lang\": \"en\", \"time\": \"2023-09-13T14:00:00.000Z\", \"value\": \"Fixes released\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"This issue is fixed in 0.7.3 and all later versions.\"}], \"datePublic\": \"2023-09-13T00:00:00.000Z\", \"references\": [{\"url\": \"https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NLnet Labs\u0027 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-232\", \"description\": \"CWE-232: Improper Handling of Undefined Values\"}, {\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-240\", \"description\": \"CWE-240: Improper Handling of Inconsistent Structural Elements\"}]}], \"providerMetadata\": {\"orgId\": \"206fc3a0-e175-490b-9eaa-a5738056c9f6\", \"shortName\": \"NLnet Labs\", \"dateUpdated\": \"2024-09-11T15:34:05.255Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-39914\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-11T15:34:05.255Z\", \"dateReserved\": \"2023-08-07T11:55:17.843Z\", \"assignerOrgId\": \"206fc3a0-e175-490b-9eaa-a5738056c9f6\", \"datePublished\": \"2023-09-13T14:17:49.204Z\", \"assignerShortName\": \"NLnet Labs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.