CVE-2024-51502

Nov. 21, 2024, 5:15 p.m.

None
No Score

Description

loona is an experimental, HTTP/1.1 and HTTP/2 implementation in Rust on top of io-uring. `loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in issue #11. All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. This issue has been addressed in release version 0.4.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
loona-hpack
  • ['before 0.4.3']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-755
Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.

References

https://github.com/bearcove/loona/commit/9a4028ec6484f50a320281271a41a5040ddb1ba8
https://github.com/bearcove/loona/security/advisories/GHSA-7vm6-qwh5-9x44
https://github.com/mlalic/hpack-rs/issues/11

Tags

security-advisories@github.com
CWE-755
2024-11-04
CVE-2024-51502

Timeline

Published: Nov. 4, 2024, 11:15 p.m.
Last Modified: Nov. 21, 2024, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.