Fix crash on malformed input in ParseCVSSVector

[scottcunningham]

No description provided.

[pandatix]

Hey, author of the discovery here.
I still have an issue with this patch : it's ok if the bug bounty program don't want to provide a bounty despite this being fatal and obviously reachable (if the fuzzer did then everyone can + it is part of the exposed functions of the module), but there are still 2 majors issues.

1. This is a security fix, it must have a related CVE in order to be detected by Vulnerability Assessment Tools. Without this, the vulnerability will still be propagated in the dependents supply-chain leading you to be responsible for vulnerable softwares. Assigning a CVE will make the NVD create configurations, Github to give the info to Dependabot, Snyk to trigger alerts... leading to OSS apply patches. Currently, you have illustrated the worst case that could happen with secure supply-chain practices as described in the infosec and security research communities.
2. To properly fix this, you must create a tag so developers could update this dependency and then fix it. Now, even if they knew this vulnerability exists, they could not update this dependency, or they should target this commit (a1fa51e) as a tag which is a really bad practice.

Please, check this @dlespiau @scottcunningham