RUSTSEC-2023-0063

Denial of service in Quinn servers

Reported

September 21, 2023

Issued

September 21, 2023 (last modified: February 10, 2024)

Package

quinn-proto (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#panic

Aliases

CVE-2023-42805
GHSA-q8wc-j5m9-27w3

References

https://github.com/quinn-rs/quinn/pull/1667

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

^0.9.5
>=0.10.5

Description

Receiving QUIC frames containing a frame with unknown frame type could lead to a panic. Unfortunately this is issue was not found by our fuzzing infrastructure.

Thanks to the QUIC Tester research group for reporting this issue.

Advisory available under CC0-1.0 license.