CVE-2024-32650

HIGH

Crates.io Rustls < 0.23.5 - Infinite Loop

Title source: rule

Description

Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

References (4)

[Vendor Advisory] https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj

[Patch] https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d

[Patch] https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e

[Patch] https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 11.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (5)

crates.io/rustls 0.23.0 - 0.23.5crates.io

rustls/rustls = 0.20.0

rustls/rustls >= 0.21.0, < 0.21.11

rustls/rustls >= 0.22.0, < 0.22.4

rustls/rustls >= 0.23.0, < 0.23.5

Published Apr 19, 2024

Tracked Since Feb 18, 2026