{"id":"RUSTSEC-2024-0369","summary":"phonenumber:  panic on parsing crafted phonenumber inputs","details":"### Impact\n\nThe phonenumber parsing code may panic due to a reachable `assert!` guard on the phonenumber string.\n\nIn a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56.\n\nSince f69abee1/0.3.4/#52.\n\n0.2.x series is not affected.\n\n### Patches\nPatches have been published as version `0.3.6+8.13.36`.","aliases":["CVE-2024-39697","GHSA-mjw4-jj88-v687"],"modified":"2024-09-05T13:57:23.822708Z","published":"2024-07-07T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/phonenumber"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0369.html"},{"type":"ADVISORY","url":"https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"},{"type":"ADVISORY","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39697"}],"affected":[{"package":{"name":"phonenumber","ecosystem":"crates.io","purl":"pkg:cargo/phonenumber"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.3"},{"fixed":"0.3.6"}]}],"ecosystem_specific":{"affects":{"functions":["phonenumber::parse"],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0369.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H","categories":["denial-of-service"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}]}