Expected Behavior Violation Affecting snow package, versions <0.9.5


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SNOW-6190456
  • published25 Jan 2024
  • disclosed24 Jan 2024
  • creditUnknown

Introduced: 24 Jan 2024

CVE NOT AVAILABLE CWE-440  (opens in a new tab)

How to fix?

Upgrade snow to version 0.9.5 or higher.

Overview

Affected versions of this package are vulnerable to Expected Behavior Violation via the TransportState process. An attacker with the ability to inject packets into the communication channel can disrupt the service by causing a mismatch in nonce values expected by the sending and receiving parties.

Note:

This is only exploitable if the TransportState is used, as opposed to StatelessTransportState.

References

CVSS Scores

version 3.1