CVE-2023-3766

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker with knowledge of this vulnerability to craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/cloudflare/odoh-rs/pull/28	Patch Vendor Advisory
https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudflare:odoh-rs:*:*:*:*:*:rust:*:*

History

10 Aug 2023, 14:00

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cloudflare:odoh-rs::::::rust::*
References	~~(MISC) https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p -~~	(MISC) https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p - Vendor Advisory
References	~~(MISC) https://github.com/cloudflare/odoh-rs/pull/28 -~~	(MISC) https://github.com/cloudflare/odoh-rs/pull/28 - Patch, Vendor Advisory
First Time		Cloudflare odoh-rs Cloudflare
CWE		CWE-120
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9

03 Aug 2023, 15:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-03 15:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-3766

Mitre link : CVE-2023-3766

CVE.ORG link : CVE-2023-3766

JSON object : View

Products Affected

cloudflare

odoh-rs

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

{"id": "CVE-2023-3766", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "cna@cloudflare.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2023-08-03T15:15:32.097", "references": [{"url": "https://github.com/cloudflare/odoh-rs/pull/28", "tags": ["Patch", "Vendor Advisory"], "source": "cna@cloudflare.com"}, {"url": "https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p", "tags": ["Vendor Advisory"], "source": "cna@cloudflare.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-120"}]}, {"type": "Secondary", "source": "cna@cloudflare.com", "description": [{"lang": "en", "value": "CWE-120"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker\u00a0with knowledge of this vulnerability to craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.\n\n"}], "lastModified": "2023-08-10T14:00:07.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:odoh-rs:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "B3221FFC-89CD-49F9-B571-82AF6E35E693", "versionEndExcluding": "1.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cloudflare.com"}