CVE-2024-45311
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-45311
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45311.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-45311
- Aliases
- Related
- Published
- 2024-09-02T16:45:39Z
- Modified
- 2025-10-22T18:43:25.171462Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Denial of service in quinn-proto when using `Endpoint::retry()`
- Details
-
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to
accept(),retry(),refuse(), orignore()anIncomingconnection. However, callingretry()on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Callingrefuseorignoreon the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server'srefuse()/ignore()code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical. - Database specific
{ "cwe_ids": [ "CWE-670" ] }- References