CVE-2023-42805 - OpenCVE

quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Quinn Project	Quinn

Configuration 1 [-]

OR	cpe:2.3:a:quinn_project:quinn::::::rust::*
	cpe:2.3:a:quinn_project:quinn::::::rust::*

No data.

References

Link	Providers
https://github.com/quinn-rs/quinn/pull/1667
https://github.com/quinn-rs/quinn/pull/1668
https://github.com/quinn-rs/quinn/pull/1669
https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-21T16:39:56.350Z

Updated: 2024-08-02T19:30:24.143Z

Reserved: 2023-09-14T16:13:33.307Z

Link: CVE-2023-42805

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-21T17:15:23.353

Modified: 2023-09-25T16:32:35.913

Link: CVE-2023-42805

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-14T16:13:33.307Z", "datePublished": "2023-09-21T16:39:56.350Z", "dateUpdated": "2024-08-02T19:30:24.143Z"}, "containers": {"cna": {"title": "quinn-proto Denial of Service vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3"}, {"name": "https://github.com/quinn-rs/quinn/pull/1667", "tags": ["x_refsource_MISC"], "url": "https://github.com/quinn-rs/quinn/pull/1667"}, {"name": "https://github.com/quinn-rs/quinn/pull/1668", "tags": ["x_refsource_MISC"], "url": "https://github.com/quinn-rs/quinn/pull/1668"}, {"name": "https://github.com/quinn-rs/quinn/pull/1669", "tags": ["x_refsource_MISC"], "url": "https://github.com/quinn-rs/quinn/pull/1669"}], "affected": [{"vendor": "quinn-rs", "product": "quinn", "versions": [{"version": "< 0.9.5", "status": "affected"}, {"version": ">= 0.10.0, < 0.10.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-21T16:39:56.350Z"}, "descriptions": [{"lang": "en", "value": "quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases."}], "source": {"advisory": "GHSA-q8wc-j5m9-27w3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:30:24.143Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3"}, {"name": "https://github.com/quinn-rs/quinn/pull/1667", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quinn-rs/quinn/pull/1667"}, {"name": "https://github.com/quinn-rs/quinn/pull/1668", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quinn-rs/quinn/pull/1668"}, {"name": "https://github.com/quinn-rs/quinn/pull/1669", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quinn-rs/quinn/pull/1669"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*", "matchCriteriaId": "07C6E078-CA32-421C-AE0F-8944E40E0127", "versionEndExcluding": "0.9.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:quinn_project:quinn:*:*:*:*:*:rust:*:*", "matchCriteriaId": "DD6B8751-AFF1-470F-8F1F-D5266891D2FB", "versionEndExcluding": "0.10.5", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases."}, {"lang": "es", "value": "quinn-proto es una m\u00e1quina de estados para el protocolo de transporte QUIC. Antes de las versiones 0.9.5 y 0.10.5, recibir tramas QUIC desconocidas en un paquete QUIC pod\u00eda provocar p\u00e1nico. El problema se solucion\u00f3 en las versiones de mantenimiento 0.9.5 y 0.10.5."}], "id": "CVE-2023-42805", "lastModified": "2023-09-25T16:32:35.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-21T17:15:23.353", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/quinn-rs/quinn/pull/1667"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/quinn-rs/quinn/pull/1668"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/quinn-rs/quinn/pull/1669"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-q8wc-j5m9-27w3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}