CVE-2023-46135: 
Rust vulnerability analysis and mitigation

rs-stellar-strkey, a Rust library for encoding/decoding of Stellar Strkeys, contains a panic vulnerability (CVE-2023-46135) when a specially crafted payload is used. The vulnerability was discovered on October 18, 2023, and affects versions prior to 0.0.8 (GitHub Issue, Vendor Advisory).

The vulnerability occurs due to an integer overflow in the SignedPayload::from_payload function. When inner_payload_len is 0xffffffff, the calculation inner_payload_len + (4 - inner_payload_len % 4) % 4 results in u32::MAX + 1, causing an arithmetic overflow. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Vendor Advisory).

When exploited, this vulnerability causes the program to panic, potentially leading to a denial of service condition. The vulnerability affects availability but does not impact confidentiality or integrity of the system (Vendor Advisory).

The vulnerability has been patched in version 0.0.8 by implementing a check that ensures inner_payload_len does not exceed 64. As a workaround, users can sanitize input payload before passing it to the vulnerable function to ensure that bytes in payload[32..32+4] parsed as a u32 is not above 64 (Vendor Advisory).