Always-Incorrect Control Flow Implementation Affecting uv package, versions <0.4.7-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-UV-7924804
- published 8 Sep 2024
- disclosed 2 Sep 2024
Introduced: 2 Sep 2024
CVE-2024-45311 Open this link in a new tabHow to fix?
Upgrade Chainguard
uv
to version 0.4.7-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream uv
package and not the uv
package as distributed by Chainguard
.
See How to fix?
for Chainguard
relevant fixed versions and status.
Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to accept()
, retry()
, refuse()
, or ignore()
an Incoming
connection. However, calling retry()
on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling refuse
or ignore
on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's refuse()
/ignore()
code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical.