CVE-2023-3766: 
Rust vulnerability analysis and mitigation

A vulnerability (CVE-2023-3766) was discovered in the odoh-rs rust crate affecting versions prior to 1.0.2. The vulnerability stems from faulty logic during the parsing of encrypted queries, specifically when processing encrypted query data received from remote clients (Cloudflare Advisory).

The vulnerability is related to a buffer copy operation without proper size checking (CWE-120). The issue occurs when the encrypted message field is too short to include the encapsulated key, causing decrypt_query() to panic instead of returning an error. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (Cloudflare Advisory).

Upon successful exploitation, an attacker can cause the ODOH server to crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable. The vulnerability affects the availability of the service while having no impact on confidentiality or integrity (Cloudflare Advisory).

Users are advised to update their odoh-rs rust crate to version 1.0.2 or later, which contains the fix for this vulnerability. The fix ensures that decrypt_query() returns an error instead of panicking when encountering malformed encrypted messages (Cloudflare PR).