CVE-2024-45311 – quinn-proto

Package

Manager: cargo
Name: quinn-proto
Vulnerable Version: >=0.11.0 <0.11.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00136 pctl0.34133

Details

Denial of service in quinn-proto when using `Endpoint::retry()` ### Summary As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exposes the server to a likely panic in the following situations: - Calling `refuse` or `ignore` on the resulting validated connection, if a duplicate initial packet is received - This issue can go undetected until a server's `refuse()`/`ignore()` code path is exercised, such as to stop a denial of service attack. - Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. - This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical. ### Details Location of panic: https://github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rs#L213 ### Impact Denial of service for internet-facing server

Metadata

Created: 2024-09-03T20:49:26Z
Modified: 2024-09-09T14:20:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-vr26-jcq5-fjj8/GHSA-vr26-jcq5-fjj8.json
CWE IDs: ["CWE-670"]
Alternative ID: GHSA-vr26-jcq5-fjj8
Finding: F164
Auto approve: 1