CVE-2024-32650
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Rustls is a modern TLS library written in Rust. rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rustls | rustls | >= 0.23.0, < 0.23.5 | affected |
| rustls | rustls | >= 0.22.0, < 0.22.4 | affected |
| rustls | rustls | >= 0.21.0, < 0.21.11 | affected |
| rustls | rustls | = 0.20.0 | affected |
Weaknesses
- CWE-835: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
- https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d
- https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e
- https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e
References
- https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
- https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d
- https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e
- https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.