Vulnerability-Lookup

CVE-2024-53856 (GCVE-0-2024-53856)

Vulnerability from cvelistv5 – Published: 2024-12-05 15:24 – Updated: 2024-12-09 20:23

Title

rPGP Panics on Malformed Untrusted Input

Summary

rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-130 - Improper Handling of Length Parameter Inconsistency
CWE-148 - Improper Neutralization of Input Leaders
CWE-617 - Reachable Assertion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/rpgp/rpgp/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
rpgp	rpgp	Affected: < 0.14.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53856",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-09T20:22:29.915489Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-09T20:23:09.592Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rpgp",
          "vendor": "rpgp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-130",
              "description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-148",
              "description": "CWE-148: Improper Neutralization of Input Leaders",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "CWE-617: Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-05T15:24:36.049Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
        }
      ],
      "source": {
        "advisory": "GHSA-9rmp-2568-59rv",
        "discovery": "UNKNOWN"
      },
      "title": "rPGP Panics on Malformed Untrusted Input"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53856",
    "datePublished": "2024-12-05T15:24:36.049Z",
    "dateReserved": "2024-11-22T17:30:02.142Z",
    "dateUpdated": "2024-12-09T20:23:09.592Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-53856",
      "date": "2026-05-27",
      "epss": "0.00279",
      "percentile": "0.5137"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53856\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-05T16:15:26.237\",\"lastModified\":\"2024-12-05T16:15:26.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.\"},{\"lang\":\"es\",\"value\":\"rPGP es una implementaci\u00f3n pura de OpenPGP en Rust. Antes de la versi\u00f3n 0.14.1, rPGP permite a un atacante provocar fallas de rpgp al proporcionar datos manipulados. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 0.14.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-130\"},{\"lang\":\"en\",\"value\":\"CWE-148\"},{\"lang\":\"en\",\"value\":\"CWE-617\"}]}],\"references\":[{\"url\":\"https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53856\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-09T20:22:29.915489Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-09T20:23:03.905Z\"}}], \"cna\": {\"title\": \"rPGP Panics on Malformed Untrusted Input\", \"source\": {\"advisory\": \"GHSA-9rmp-2568-59rv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rpgp\", \"product\": \"rpgp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.1\"}]}], \"references\": [{\"url\": \"https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv\", \"name\": \"https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-130\", \"description\": \"CWE-130: Improper Handling of Length Parameter Inconsistency\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-148\", \"description\": \"CWE-148: Improper Neutralization of Input Leaders\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-617\", \"description\": \"CWE-617: Reachable Assertion\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-05T15:24:36.049Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53856\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-09T20:23:09.592Z\", \"dateReserved\": \"2024-11-22T17:30:02.142Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-05T15:24:36.049Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-53856

Vulnerability from fkie_nvd - Published: 2024-12-05 16:15 - Updated: 2026-04-15 00:35

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1.

References

	URL	Tags
	security-advisories@github.com	https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "rPGP is a pure Rust implementation of OpenPGP. Prior to 0.14.1, rPGP allows an attacker to trigger rpgp crashes by providing crafted data. This vulnerability is fixed in 0.14.1."
    },
    {
      "lang": "es",
      "value": "rPGP es una implementaci\u00f3n pura de OpenPGP en Rust. Antes de la versi\u00f3n 0.14.1, rPGP permite a un atacante provocar fallas de rpgp al proporcionar datos manipulados. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 0.14.1."
    }
  ],
  "id": "CVE-2024-53856",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-05T16:15:26.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-130"
        },
        {
          "lang": "en",
          "value": "CWE-148"
        },
        {
          "lang": "en",
          "value": "CWE-617"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-9RMP-2568-59RV

Vulnerability from github – Published: 2024-12-05 17:30 – Updated: 2025-12-26 16:30

Summary

rPGP Panics on Malformed Untrusted Input

Details

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios: * Parsing OpenPGP messages from binary or armor format * Decrypting OpenPGP messages via decrypt_with_password() * Parsing or converting public keys * Parsing signed cleartext messages from armor format * Using malformed private keys to sign or encrypt

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-248",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T17:30:52Z",
    "nvd_published_at": "2024-12-05T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data.\n\n### Impact\nWhen processing malformed input, `rpgp` can run into Rust panics which halt the program.\n\nThis can happen in the following scenarios:\n* Parsing OpenPGP messages from binary or armor format\n* Decrypting OpenPGP messages via `decrypt_with_password()`\n* Parsing or converting public keys\n* Parsing signed cleartext messages from armor format\n* Using malformed private keys to sign or encrypt\n\nGiven the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.\n\nThe result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.\n\n### Versions and Patches\nAll recent versions are affected by at least some of the above mentioned issues. \n\nThe vulnerabilities have been fixed with version `0.14.1`. We recommend all users to upgrade to this version.\n\n### References\n\n\nThe security audit was made possible by the [NLnet Foundation NGI Zero Core](https://nlnet.nl/core/) grant program [for rpgp](https://nlnet.nl/project/rPGP-cryptorefresh/).",
  "id": "GHSA-9rmp-2568-59rv",
  "modified": "2025-12-26T16:30:25Z",
  "published": "2024-12-05T17:30:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53856"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rpgp/rpgp"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0447.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rPGP Panics on Malformed Untrusted Input"
}

rustsec-2024-0447

Vulnerability from osv_rustsec

Published

2024-12-05 12:00

Modified

2025-12-24 14:48

Summary

Panics on Malformed Untrusted Input

Details

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios:

Parsing OpenPGP messages from binary or armor format
Decrypting OpenPGP messages via decrypt_with_password()
Parsing or converting public keys
Parsing signed cleartext messages from armor format
Using malformed private keys to sign or encrypt

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Severity

7.5 (High)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

URL

Type

	https://crates.io/crates/pgp	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2024-0447.html	ADVISORY
	https://github.com/rpgp/rpgp/security/advisories/…	ADVISORY
	https://github.com/radicallyopensecurity/ros-webs…	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "denial-of-service"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "pgp",
        "purl": "pkg:cargo/pgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2024-53856",
    "GHSA-9rmp-2568-59rv"
  ],
  "database_specific": {
    "license": "CC-BY-4.0"
  },
  "details": "During a security audit, Radically Open Security discovered\nseveral reachable edge cases which allow an attacker to\ntrigger rpgp crashes by providing crafted data.\n\n## Impact\n\nWhen processing malformed input, rpgp can run into Rust panics which halt\nthe program.\n\nThis can happen in the following scenarios:\n\n * Parsing OpenPGP messages from binary or armor format\n * Decrypting OpenPGP messages via decrypt_with_password()\n * Parsing or converting public keys\n * Parsing signed cleartext messages from armor format\n * Using malformed private keys to sign or encrypt\n\nGiven the affected components, we consider most attack vectors to be\nreachable by remote attackers during typical use cases of the rpgp\nlibrary. The attack complexity is low since the malformed messages\nare generic, short, and require no victim-specific knowledge.\n\nThe result is a denial-of-service impact via program termination.\nThere is no impact to confidentiality or integrity security properties.\n\n## Versions and Patches\n\nAll recent versions are affected by at least some of the above mentioned\nissues.\n\nThe vulnerabilities have been fixed with version 0.14.1. We recommend\nall users to upgrade to this version.\n\n## References\n\nThe security audit was made possible by the NLnet Foundation\nNGI Zero Core grant program for rpgp.",
  "id": "RUSTSEC-2024-0447",
  "modified": "2025-12-24T14:48:25Z",
  "published": "2024-12-05T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/pgp"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0447.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radicallyopensecurity/ros-website/blob/8169b16fc138a0b0dde14dd0e222d1279701b4d3/ros-public-reports/ROS%20-%20NLNet%20-%20rPGP%20-%202024.pdf"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Panics on Malformed Untrusted Input"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53856 (GCVE-0-2024-53856)

FKIE_CVE-2024-53856

GHSA-9RMP-2568-59RV

Impact

Versions and Patches

References

rustsec-2024-0447

Vulnerability from osv_rustsec

Impact

Versions and Patches

References

Tags

Sightings

Nomenclature