CVE-2023-39914 - Vulnerability Details - OpenCVE

NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Nlnetlabs	Bcder

Configuration 1 [-]

cpe:2.3:a:nlnetlabs:bcder:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt

History

Thu, 12 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-228

Wed, 11 Sep 2024 15:45:00 +0000

Type	Values Removed	Values Added
Description	NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.	NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
Weaknesses		CWE-232 CWE-240

MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published: 2023-09-13T14:17:49.204Z

Updated: 2024-09-12T13:22:36.893Z

Reserved: 2023-08-07T11:55:17.843Z

Link: CVE-2023-39914

Vulnrichment

Updated: 2024-09-12T13:22:32.617Z

NVD

Status : Modified

Published: 2023-09-13T15:15:07.657

Modified: 2024-11-21T08:16:01.750

Link: CVE-2023-39914

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39914", "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "state": "PUBLISHED", "assignerShortName": "NLnet Labs", "dateReserved": "2023-08-07T11:55:17.843Z", "datePublished": "2023-09-13T14:17:49.204Z", "dateUpdated": "2024-09-12T13:22:36.893Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "bcder", "vendor": "NLnet Labs", "versions": [{"lessThan": "0.7.3", "status": "affected", "version": "*", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "0.7.3", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Haya Shulman"}, {"lang": "en", "type": "finder", "value": "Donika Mirdita"}, {"lang": "en", "type": "finder", "value": "Niklas Vogel"}], "datePublic": "2023-09-13T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-232", "description": "CWE-232: Improper Handling of Undefined Values", "lang": "en", "type": "CWE"}, {"cweId": "CWE-240", "description": "CWE-240: Improper Handling of Inconsistent Structural Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "shortName": "NLnet Labs", "dateUpdated": "2024-09-11T15:34:05.255Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"}], "solutions": [{"lang": "en", "value": "This issue is fixed in 0.7.3 and all later versions."}], "timeline": [{"lang": "en", "time": "2023-07-19T18:00:00.000Z", "value": "Issue reported by Haya Shulman"}, {"lang": "en", "time": "2023-09-13T14:00:00.000Z", "value": "Fixes released"}], "title": "BER/CER/DER decoder panics on invalid input"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:10.086Z"}, "title": "CVE Program Container", "references": [{"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt", "tags": ["vendor-advisory", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T13:22:23.054203Z", "id": "CVE-2023-39914", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T13:22:36.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T13:22:23.054203Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-09-12T13:22:32.617Z"}}], "cna": {"title": "BER/CER/DER decoder panics on invalid input", "credits": [{"lang": "en", "type": "finder", "value": "Haya Shulman"}, {"lang": "en", "type": "finder", "value": "Donika Mirdita"}, {"lang": "en", "type": "finder", "value": "Niklas Vogel"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NLnet Labs", "product": "bcder", "versions": [{"status": "affected", "version": "*", "lessThan": "0.7.3", "versionType": "semver"}, {"status": "unaffected", "version": "0.7.3", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-07-19T18:00:00.000Z", "value": "Issue reported by Haya Shulman"}, {"lang": "en", "time": "2023-09-13T14:00:00.000Z", "value": "Fixes released"}], "solutions": [{"lang": "en", "value": "This issue is fixed in 0.7.3 and all later versions."}], "datePublic": "2023-09-13T00:00:00.000Z", "references": [{"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-232", "description": "CWE-232: Improper Handling of Undefined Values"}, {"lang": "en", "type": "CWE", "cweId": "CWE-240", "description": "CWE-240: Improper Handling of Inconsistent Structural Elements"}]}], "providerMetadata": {"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "shortName": "NLnet Labs", "dateUpdated": "2024-09-11T15:34:05.255Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39914", "state": "PUBLISHED", "dateUpdated": "2024-09-11T15:34:05.255Z", "dateReserved": "2023-08-07T11:55:17.843Z", "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "datePublished": "2023-09-13T14:17:49.204Z", "assignerShortName": "NLnet Labs"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nlnetlabs:bcder:*:*:*:*:*:*:*:*", "matchCriteriaId": "01667F69-EC35-4FDC-96BE-E633C2F494C4", "versionEndExcluding": "0.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NLnet Labs' bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."}, {"lang": "es", "value": "La biblioteca bder de NLnet Labs hasta la versi\u00f3n 0.7.2 incluida entra en p\u00e1nico al decodificar ciertos datos de entrada no v\u00e1lidos en lugar de rechazar los datos con un error. Esto puede afectar tanto a la etapa de decodificaci\u00f3n real como al acceso a contenidos de tipos que utilizaron decodificaci\u00f3n retrasada."}], "id": "CVE-2023-39914", "lastModified": "2024-11-21T08:16:01.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "sep@nlnetlabs.nl", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-13T15:15:07.657", "references": [{"source": "sep@nlnetlabs.nl", "tags": ["Vendor Advisory"], "url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"}], "sourceIdentifier": "sep@nlnetlabs.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-232"}, {"lang": "en", "value": "CWE-240"}], "source": "sep@nlnetlabs.nl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}