CVE-2021-24029

EPSS 0.47%
Published 15.03.2021 22:15:13
Last modified 21.11.2024 05:52:14
Source cve-assign@fb.com
Teams watchlist Login
Open Login

A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Facebook ≫ Mvfst Version < 2021-03-13

Facebook ≫ Proxygen Version < 2021.03.15.00

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.47%	0.616

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0

Patch

Third Party Advisory

https://www.facebook.com/security/advisories/cve-2021-24029

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-24029

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-24029

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-24029

EUVD