CVE-2023-39914

NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nlnetlabs:bcder:*:*:*:*:*:*:*:*

History

15 Sep 2023, 15:17

Type	Values Removed	Values Added
References	~~(MISC) https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt -~~	(MISC) https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt - Vendor Advisory
CPE		cpe:2.3:a:nlnetlabs:bcder::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		NVD-CWE-noinfo
First Time		Nlnetlabs bcder Nlnetlabs

13 Sep 2023, 16:34

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-13 15:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-39914

Mitre link : CVE-2023-39914

CVE.ORG link : CVE-2023-39914

JSON object : View

Products Affected

nlnetlabs

bcder

CWE

NVD-CWE-noinfo CWE-228

Improper Handling of Syntactically Invalid Structure

{"id": "CVE-2023-39914", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "sep@nlnetlabs.nl", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-13T15:15:07.657", "references": [{"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt", "tags": ["Vendor Advisory"], "source": "sep@nlnetlabs.nl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "sep@nlnetlabs.nl", "description": [{"lang": "en", "value": "CWE-228"}]}], "descriptions": [{"lang": "en", "value": "NLnet Labs\u2019 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding."}, {"lang": "es", "value": "La biblioteca bder de NLnet Labs hasta la versi\u00f3n 0.7.2 incluida entra en p\u00e1nico al decodificar ciertos datos de entrada no v\u00e1lidos en lugar de rechazar los datos con un error. Esto puede afectar tanto a la etapa de decodificaci\u00f3n real como al acceso a contenidos de tipos que utilizaron decodificaci\u00f3n retrasada."}], "lastModified": "2023-09-15T15:17:58.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nlnetlabs:bcder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01667F69-EC35-4FDC-96BE-E633C2F494C4", "versionEndExcluding": "0.7.3"}], "operator": "OR"}]}], "sourceIdentifier": "sep@nlnetlabs.nl"}