GHSA-6ggr-cwv4-g7qg: Remotely exploitable denial of service in Rosenpass

December 21, 2023

Affected versions of this crate did not validate the size of buffers when attempting to decode messages.

This allows an attacker to trigger a panic by sending a UDP datagram with a 1 byte payload over network.

This flaw was corrected by validating the size of the buffers before attempting to decode the message.

References

github.com/advisories/GHSA-6ggr-cwv4-g7qg
github.com/rosenpass/rosenpass
github.com/rosenpass/rosenpass/commit/93439858d1c44294a7b377f775c4fc897a370bb2
rustsec.org/advisories/RUSTSEC-2023-0077.html

Detect and mitigate GHSA-6ggr-cwv4-g7qg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →