GHSA-qg5g-gv98-5ffh: 
Rust vulnerability analysis and mitigation

A vulnerability was discovered in Rustls version 0.23.13 and related APIs, identified as CVE-2024-11738 (GHSA-qg5g-gv98-5ffh). The vulnerability was reported on November 22, 2024, and publicly disclosed on November 25, 2024. This flaw affects the TLS implementation in Rustls, specifically impacting servers that use the rustls::server::Acceptor::accept() API, tokio-rustls's LazyConfigAcceptor API, and rustls-ffi's rustlsacceptoraccept API (RustSec Advisory, GitHub Advisory).

The vulnerability is caused by a bug that leads to a panic condition when processing fragmented TLS ClientHello messages. The issue specifically affects the Acceptor::accept() functionality in Rustls version 0.23.13 through 0.23.17. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Red Hat CVE).

The vulnerability results in a denial of service condition through a panic in the affected server implementations. When successfully exploited, it can cause the server to crash when processing specially crafted TLS ClientHello messages. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in Rustls version 0.23.18. Users of affected versions should upgrade to this version or later to mitigate the vulnerability. Systems using versions prior to 0.23.13 are not affected by this vulnerability (GitHub Advisory).