CVE-2024-45311
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-45311
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45311.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-45311
- Aliases
- Related
- Published
- 2024-09-02T18:15:37Z
- Modified
- 2024-10-08T04:22:27.413293Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to
accept(),retry(),refuse(), orignore()anIncomingconnection. However, callingretry()on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Callingrefuseorignoreon the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server'srefuse()/ignore()code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical. - References
Affected packages
Git / github.com/quinn-rs/quinn
Affected ranges
- Type
- GIT
- Repo
- https://github.com/quinn-rs/quinn
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed