CVE-2021-24029

{"id": "CVE-2021-24029", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-03-15T22:15:13.530", "references": [{"url": "https://github.com/facebookincubator/mvfst/commit/a67083ff4b8dcbb7ee2839da6338032030d712b0", "tags": ["Patch", "Third Party Advisory"], "source": "cve-assign@fb.com"}, {"url": "https://www.facebook.com/security/advisories/cve-2021-24029", "tags": ["Vendor Advisory"], "source": "cve-assign@fb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-617"}]}, {"type": "Secondary", "source": "cve-assign@fb.com", "description": [{"lang": "en", "value": "CWE-617"}]}], "descriptions": [{"lang": "en", "value": "A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion. Per QUIC specification, this particular message should be treated as a connection error. This issue affects mvfst versions prior to commit a67083ff4b8dcbb7ee2839da6338032030d712b0 and proxygen versions prior to v2021.03.15.00."}, {"lang": "es", "value": "Un paquete de escenario death es posible en mvfst por medio de un mensaje especialmente dise\u00f1ado durante una sesi\u00f3n QUIC, lo que causa un bloqueo por medio de un fallo de aserci\u00f3n. Seg\u00fan la especificaci\u00f3n QUIC, este mensaje en particular debe tratarse como un error de conexi\u00f3n. Este problema afecta a las versiones de mvfst anteriores al commit a67083ff4b8dcbb7ee2839da6338032030d712b0 y versiones de proxygen anteriores a v2021.03.15.00"}], "lastModified": "2021-03-23T16:34:55.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:mvfst:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D48024F5-694D-40A0-AAC5-8F3E127E1CCF", "versionEndExcluding": "2021-03-13"}, {"criteria": "cpe:2.3:a:facebook:proxygen:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4855309D-53DF-44FE-B80D-D0D3E2425D32", "versionEndExcluding": "2021.03.15.00"}], "operator": "OR"}]}], "sourceIdentifier": "cve-assign@fb.com"}