GHSA-GPCV-P28P-FV2P

Vulnerability from github – Published: 2023-08-03 16:35 – Updated: 2023-08-03 16:35
VLAI?
Summary
odoh-rs's Invalid Slice Split Results in Server Panic
Details

A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients.

Impact

An attacker with knowledge of this vulnerability could craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.

Patches

Users are encouraged to update their odoh-rs's rust crate to v1.0.2.

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "odoh-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T16:35:20Z",
    "nvd_published_at": "2023-08-03T15:15:32Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients.\n\n### Impact\nAn attacker with knowledge of this vulnerability could craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.\n\n### Patches\nUsers are encouraged to update their odoh-rs\u0027s rust crate to v1.0.2.",
  "id": "GHSA-gpcv-p28p-fv2p",
  "modified": "2023-08-03T16:35:20Z",
  "published": "2023-08-03T16:35:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/odoh-rs/pull/28"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/odoh-rs/commit/c1bc4ed71dcc9842b7dc1ea26f278f105074bbaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/odoh-rs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "odoh-rs\u0027s Invalid Slice Split Results in Server Panic"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.