CVE-2024-45311: 
Rust vulnerability analysis and mitigation

Quinn, a pure-Rust async-compatible implementation of the IETF QUIC transport protocol, contains a vulnerability in versions 0.11.0 through 0.11.6 (CVE-2024-45311). The vulnerability was discovered on September 2, 2024, affecting the quinn-proto component. The issue allows servers to experience a denial of service condition when using specific connection handling methods (GitHub Advisory).

The vulnerability exists in the server's connection handling logic where calling retry() on an unvalidated connection can lead to a panic. This occurs in two scenarios: 1) When refuse() or ignore() is called on the resulting validated connection if a duplicate initial packet is received, and 2) When accepting a connection where the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, if a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a denial of service for internet-facing servers. The issue primarily affects availability while maintaining no impact on confidentiality or integrity. The first scenario has been observed in real-world applications, while the second scenario remains theoretical (GitHub Advisory).

The vulnerability has been patched in quinn-proto version 0.11.7. Users should upgrade to this version or later to address the security issue (GitHub Advisory).