CVE-2023-39914: 
Rust vulnerability analysis and mitigation

NLnet Labs' bcder library versions up to and including 0.7.2 contains a vulnerability where the decoder fails to properly validate input data, leading to panics when processing certain invalid data sequences. The vulnerability was discovered and reported by researchers from Fraunhofer SIT and ATHENE, and was disclosed on September 13, 2023 (NVD, Vendor Advisory).

The vulnerability stems from insufficient input validation in the bcder library's decoder component. The issue manifests in two ways: during the actual decoding stage and when accessing content of types that utilize delayed decoding. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it is network-accessible, requires low attack complexity, and needs no privileges or user interaction (NVD).

When exploited, the vulnerability causes the bcder library to panic instead of properly handling and rejecting invalid input data with an error. This can lead to denial of service conditions in applications utilizing the affected library versions (NVD).

The vulnerability has been fixed in bcder version 0.7.3, which implements more thorough input checking. Users are advised to upgrade to this version or later to address the vulnerability (Vendor Advisory).