CVE-2021-24029

Опубликовано: 15 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.

Ссылки

https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0
Patch
Third Party Advisory
https://www.facebook.com/security/advisories/cve-2021-24029
Vendor Advisory
https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0
Patch
Third Party Advisory
https://www.facebook.com/security/advisories/cve-2021-24029
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:facebook:mvfst:*:*:*:*:*:*:*:*

Версия до 2021-03-13 (исключая)

cpe:2.3:a:facebook:proxygen:*:*:*:*:*:*:*:*

Версия до 2021.03.15.00 (исключая)

EPSS

Процентиль: 64%

0.00468

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-617

Связанные уязвимости

GHSA-hjc6-5p5c-w4wg

github

больше 3 лет назад