Reported

September 2, 2024

Issued

September 8, 2024

Package

quinn-proto (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#panic

Aliases

• GHSA-vr26-jcq5-fjj8
• CVE-2024-45311

References

• https://github.com/quinn-rs/quinn

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.11.7

Unaffected

• <0.11.0

Description

In 0.11.0, we overhauled the server-side Endpoint implementation to enable more careful handling of incoming connection attempts. However, some of the code paths that cleaned up state after connection attempts were processed confused the initial destination connection ID with the destination connection ID of a substantial package. This resulted in the internal Endpoint state becoming inconsistent, which could then lead to a panic.

https://github.com/quinn-rs/quinn/commit/e01609ccd8738bd438d86fa7185a0f85598cb58f

Thanks to @finbear for reporting and investingating, and to @BiagoFesta for coordinating.

Advisory available under CC0-1.0 license.