- Reported
-
- Issued
-
- Package
-
quinn-proto
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#panic
- Aliases
-
- References
-
- CVSS Score
- 8.7
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Unaffected
-
Description
Receiving QUIC transport parameters containing invalid values could lead to a panic.
Unfortunately the maintainers did not properly assess usage of unwrap() calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.
Advisory available under CC0-1.0
license.