{"id":"RUSTSEC-2024-0336","summary":"`rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input","details":"If a `close_notify` alert is received during a handshake, `complete_io`\ndoes not terminate.\n\nCallers which do not call `complete_io` are not affected.\n\n`rustls-tokio` and `rustls-ffi` do not call `complete_io`\nand are not affected.\n\n`rustls::Stream` and `rustls::StreamOwned` types use\n`complete_io` and are affected.","aliases":["CVE-2024-32650","GHSA-6g7w-8wpp-frhj"],"modified":"2024-04-20T02:21:14Z","published":"2024-04-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/rustls"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0336.html"},{"type":"ADVISORY","url":"https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj"}],"affected":[{"package":{"name":"rustls","ecosystem":"crates.io","purl":"pkg:cargo/rustls"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.21.11"},{"introduced":"0.22.0"},{"fixed":"0.22.4"},{"introduced":"0.23.0"},{"fixed":"0.23.5"}]}],"ecosystem_specific":{"affects":{"functions":["rustls::ConnectionCommon::complete_io"],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0336.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}