Headline

CVE-2023-42805: Denial of Service issue in quinn-proto

quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.

1 year ago

CVE

Open in Source

#mac #dos

High

djc published GHSA-q8wc-j5m9-27w3

Sep 21, 2023

Package

cargo quinn-proto (Rust)

Affected versions

< 0.9.5

Patched versions

0.9.5, 0.10.5

Description

Impact

Receiving unknown QUIC frames in a QUIC packet could result in a panic.

Patches

The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.

References

Fixed in #1667, backported in #1668 and #1669.

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-42805

Weaknesses

No CWEs

### Impact Receiving unknown QUIC frames in a QUIC packet could result in a panic. ### Patches The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases. ### References Fixed in https://github.com/quinn-rs/quinn/pull/1667, backported in https://github.com/quinn-rs/quinn/pull/1668 and https://github.com/quinn-rs/quinn/pull/1669.

1 year ago

ghsa

Open in Source

#dos #git