Reported

April 19, 2024

Issued

April 19, 2024

Package

rustls (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2024-32650
• GHSA-6g7w-8wpp-frhj

References

• https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj

CVSS Score

7.5 HIGH

CVSS Details

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality Impact

None

Integrity Impact

None

Availability Impact

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.23.5
• >=0.22.4, <0.23.0
• >=0.21.11, <0.22.0

Affected Functions

Version

rustls::ConnectionCommon::complete_io

• <=0.23.4
• <=0.22.3
• <=0.21.10
• ^0.20

Description

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.

Advisory available under CC0-1.0 license.