Remotely exploitable denial of service in Rosenpass · GHSA-6ggr-cwv4-g7qg · GitHub Advisory Database · GitHub

Remotely exploitable denial of service in Rosenpass

High severity GitHub Reviewed Published Dec 21, 2023 to the GitHub Advisory Database • Updated Dec 21, 2023

Package

rosenpass (Rust)

Affected versions

< 0.2.1

Patched versions

0.2.1

Description

Affected versions of this crate did not validate the size of buffers when attempting to decode messages.

This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.

This flaw was corrected by validating the size of the buffers before attempting to decode the message.

References

Published to the GitHub Advisory Database Dec 21, 2023

Reviewed Dec 21, 2023

Last updated Dec 21, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H