CVE-2024-32650Infinite Loop in Project Rustls

CWE-835Infinite Loop7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 88.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Rustls Project RustlsDebian Rust-rustlsRustls+5 more
Timeline
PublishedApr 19

Description

Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

debiandebian/rust-rustls< rust-rustls 0.21.12-1 (forky)
crates.iorustls_project/rustls0.0.0-00.21.11+3
CVEListV5rustls/rustls4 versions+3

🔴Vulnerability Details

4
OSV
`rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input2024-04-19
GHSA
Denial of Service Vulnerability in Rustls Library2024-04-19
OSV
Denial of Service Vulnerability in Rustls Library2024-04-19
OSV
CVE-2024-32650: Rustls is a modern TLS library written in Rust2024-04-19

📋Vendor Advisories

2
Microsoft
Rustls vulnerable to an infinite loop in rustls::conn::ConnectionCommon::complete_io() with proper client input2024-04-09
Debian
CVE-2024-32650: rust-rustls - Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::compl...2024