CVE-2021-24029

EPSS 0.47%
Veröffentlicht 15.03.2021 22:15:13
Zuletzt bearbeitet 21.11.2024 05:52:14
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Facebook ≫ Mvfst Version < 2021-03-13

Facebook ≫ Proxygen Version < 2021.03.15.00

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.47%	0.616

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2021-24029

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24029

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24029

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24029

EUVD