GHSA-6ggr-cwv4-g7qg: 
Rust vulnerability analysis and mitigation

A high severity vulnerability was discovered in Rosenpass versions prior to 0.2.1, identified as GHSA-6ggr-cwv4-g7qg. The vulnerability, disclosed on December 21, 2023, involves a remotely exploitable denial of service condition in the Rust-based Rosenpass package. The flaw stems from the package's failure to validate buffer sizes during message decoding operations (GitHub Advisory, RustSec Advisory).

The vulnerability received a CVSS v3.1 score of 7.5 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, and Availability: High. The technical issue lies in the package's message processing mechanism, where buffer size validation was not properly implemented before attempting to decode messages (GitHub Advisory).

The vulnerability allows an attacker to trigger a system panic by sending a UDP datagram containing just a single byte payload over the network. This can lead to a denial of service condition, affecting the availability of systems using the vulnerable versions of Rosenpass (RustSec Advisory).

The vulnerability has been patched in Rosenpass version 0.2.1. The fix involves implementing proper validation of buffer sizes before attempting to decode messages. Users are advised to upgrade to version 0.2.1 or later to mitigate this vulnerability (GitHub Commit).