CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
Low
The phonenumber parsing code may panic due to a reachable assert!
guard on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA
, where the “number” part potentially parses as a number larger than 2^56.
Since f69abee1/0.3.4/#52.
0.2.x series is not affected.
Patches have been published as version 0.3.6+8.13.36
.