CVE-2024-45311
Description
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's refuse()/ignore() code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
quinn-protocrates.io | >= 0.11.0, < 0.11.7 | 0.11.7 |
Affected products
36- osv-coords35 versionspkg:apk/chainguard/pixipkg:apk/chainguard/pixi-compatpkg:apk/chainguard/py3.10-uv-buildpkg:apk/chainguard/py3.10-uv-build-binpkg:apk/chainguard/py3.11-uv-buildpkg:apk/chainguard/py3.11-uv-build-binpkg:apk/chainguard/py3.12-uv-buildpkg:apk/chainguard/py3.12-uv-build-binpkg:apk/chainguard/py3.13-uv-buildpkg:apk/chainguard/py3.13-uv-build-binpkg:apk/chainguard/py3-supported-uv-buildpkg:apk/chainguard/qdrantpkg:apk/chainguard/qdrant-oci-compatpkg:apk/chainguard/qdrant-oci-entrypointpkg:apk/chainguard/uvpkg:apk/chainguard/washpkg:apk/chainguard/wasmcloudpkg:apk/wolfi/pixipkg:apk/wolfi/pixi-compatpkg:apk/wolfi/py3.10-uv-buildpkg:apk/wolfi/py3.10-uv-build-binpkg:apk/wolfi/py3.11-uv-buildpkg:apk/wolfi/py3.11-uv-build-binpkg:apk/wolfi/py3.12-uv-buildpkg:apk/wolfi/py3.12-uv-build-binpkg:apk/wolfi/py3.13-uv-buildpkg:apk/wolfi/py3.13-uv-build-binpkg:apk/wolfi/py3-supported-uv-buildpkg:apk/wolfi/qdrantpkg:apk/wolfi/qdrant-oci-compatpkg:apk/wolfi/qdrant-oci-entrypointpkg:apk/wolfi/uvpkg:apk/wolfi/washpkg:apk/wolfi/wasmcloudpkg:cargo/quinn-proto
< 0.31.0-r0+ 34 more
- (no CPE)range: < 0.31.0-r0
- (no CPE)range: < 0.31.0-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.32.1-r1
- (no CPE)range: < 1.2.1-r1
- (no CPE)range: < 0.31.0-r0
- (no CPE)range: < 0.31.0-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 1.11.3-r1
- (no CPE)range: < 0.4.7-r0
- (no CPE)range: < 0.32.1-r1
- (no CPE)range: < 1.2.1-r1
- (no CPE)range: >= 0.11.0, < 0.11.7
Patches
Vulnerability mechanics
References
6- github.com/quinn-rs/quinn/commit/e01609ccd8738bd438d86fa7185a0f85598cb58fnvdPatchWEB
- github.com/advisories/GHSA-vr26-jcq5-fjj8ghsaADVISORY
- github.com/quinn-rs/quinn/security/advisories/GHSA-vr26-jcq5-fjj8nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45311ghsaADVISORY
- github.com/quinn-rs/quinn/blob/bb02a12a8435a7732a1d762783eeacbb7e50418e/quinn-proto/src/endpoint.rsnvdIssue TrackingWEB
- rustsec.org/advisories/RUSTSEC-2024-0373.htmlghsaWEB
News mentions
0No linked articles in our index yet.