Vulnerability Details : CVE-2023-42805
quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.
Vulnerability category: Input validation
Products affected by CVE-2023-42805
- cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*
- cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42805
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42805
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-42805
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-42805
-
https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3
Denial of Service issue in quinn-proto · Advisory · quinn-rs/quinn · GitHubVendor Advisory
-
https://github.com/quinn-rs/quinn/pull/1669
Backport #1667 to 0.10.x by djc · Pull Request #1669 · quinn-rs/quinn · GitHubIssue Tracking
-
https://github.com/quinn-rs/quinn/pull/1668
Backport #1667 to 0.9.x by djc · Pull Request #1668 · quinn-rs/quinn · GitHubIssue Tracking;Patch
-
https://github.com/quinn-rs/quinn/pull/1667
More principled error handling for invalid frames by djc · Pull Request #1667 · quinn-rs/quinn · GitHubIssue Tracking;Patch
Jump to