Always-Incorrect Control Flow Implementation Affecting wash package, versions <0.32.1-r1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.05% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-WASH-8098325
  • published26 Sept 2024
  • disclosed2 Sept 2024

Introduced: 2 Sep 2024

CVE-2024-45311  (opens in a new tab)
CWE-670  (opens in a new tab)

How to fix?

Upgrade Chainguard wash to version 0.32.1-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream wash package and not the wash package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. As of quinn-proto 0.11, it is possible for a server to accept(), retry(), refuse(), or ignore() an Incoming connection. However, calling retry() on an unvalidated connection exposes the server to a likely panic in the following situations: 1. Calling refuse or ignore on the resulting validated connection, if a duplicate initial packet is received. This issue can go undetected until a server's refuse()/ignore() code path is exercised, such as to stop a denial of service attack. 2. Accepting when the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. This issue can go undetected if clients are well-behaved. The former situation was observed in a real application, while the latter is only theoretical.

CVSS Scores

version 3.1