RUSTSEC-2024-0336: Vulnerability in rustls

Rust Crates.io Security Advisory


History
Edit
JSON (OSV)

RUSTSEC-2024-0336

rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input


Reported
Issued

Package

rustls
(crates.io)

Type

Vulnerability

Categories
Aliases
References
CVSS Score
7.5
HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low

Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=0.23.5
  • >=0.22.4, <0.23.0
  • >=0.21.11, <0.22.0
Affected Functions
Version
rustls::ConnectionCommon::complete_io
  • <=0.23.4
  • <=0.22.3
  • <=0.21.10
  • ^0.20

Description

If a close_notify alert is received during a handshake, complete_io
does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io
and are not affected.

rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.

Advisory available under CC0-1.0
license.

READ MORE