CVE-2024-45311: Denial of service in quinn-proto when using `Endpoint::retry()`

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-45311

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Denial of service in quinn-proto when using `Endpoint::retry()`

Source: NVD (National Vulnerability Database)

Vulnerability Description

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to `accept()`, `retry()`, `refuse()`, or `ignore()` an `Incoming` connection. However, calling `retry()` on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling `refuse` or `ignore` on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's `refuse()`/`ignore()` code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

控制流实现总是不正确

Source: NVD (National Vulnerability Database)

Vulnerability Title

Quinn 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Quinn是quinn-rs开源的一个 IETF QUIC 传输协议的纯 Rust、异步兼容实现。 Quinn 0.11.0版本至0.11.6版本存在安全漏洞。攻击者利用该漏洞导致应用程序拒绝服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
quinn-rs	quinn	>= 0.11.0, < 0.11.7	-

II. Public POCs for CVE-2024-45311

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-45311

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: quinn

Same vendor: quinn-rs

Same weakness: CWE-670

V. Comments for CVE-2024-45311

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-45311

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-45311

III. Intelligence Information for CVE-2024-45311

IV. Related Vulnerabilities

V. Comments for CVE-2024-45311

Leave a comment