Vulnerability-Lookup

CVE-2023-49295 (GCVE-0-2023-49295)

Vulnerability from cvelistv5 – Published: 2024-01-10 21:40 – Updated: 2025-06-17 20:59

Title

quic-go's path validation mechanism can cause denial of service

Summary

quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/quic-go/quic-go/security/advis…	x_refsource_CONFIRM
	https://github.com/quic-go/quic-go/commit/17fc98c…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/21609dd…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/3a9c18b…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/554d543…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/6cc3d58…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/9aaefe1…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/a0ffa75…	x_refsource_MISC
	https://github.com/quic-go/quic-go/commit/d7aa627…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…
	https://lists.fedoraproject.org/archives/list/pac…

Impacted products

	Vendor	Product	Version
	quic-go	quic-go	Affected: = 0.40.0 Affected: >= 0.39.0, < 0.39.4 Affected: >= 0.38.0, < 0.38.2 Affected: < 0.37.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:53:45.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-49295",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-11T15:35:07.010763Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-17T20:59:15.978Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "quic-go",
          "vendor": "quic-go",
          "versions": [
            {
              "status": "affected",
              "version": "= 0.40.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.39.0, \u003c 0.39.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.38.0, \u003c 0.38.2"
            },
            {
              "status": "affected",
              "version": "\u003c 0.37.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-21T02:06:00.030Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
        },
        {
          "name": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
        }
      ],
      "source": {
        "advisory": "GHSA-ppxx-5m9h-6vxf",
        "discovery": "UNKNOWN"
      },
      "title": "quic-go\u0027s path validation mechanism can cause denial of service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-49295",
    "datePublished": "2024-01-10T21:40:58.881Z",
    "dateReserved": "2023-11-24T16:45:24.314Z",
    "dateUpdated": "2025-06-17T20:59:15.978Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf\", \"name\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc\", \"name\": \"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965\", \"name\": \"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a\", \"name\": \"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49\", \"name\": \"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e\", \"name\": \"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc\", \"name\": \"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4\", \"name\": \"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8\", \"name\": \"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:53:45.389Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-49295\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-11T15:35:07.010763Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T20:50:31.921Z\"}}], \"cna\": {\"title\": \"quic-go\u0027s path validation mechanism can cause denial of service\", \"source\": {\"advisory\": \"GHSA-ppxx-5m9h-6vxf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"quic-go\", \"product\": \"quic-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 0.40.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.39.0, \u003c 0.39.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.38.0, \u003c 0.38.2\"}, {\"status\": \"affected\", \"version\": \"\u003c 0.37.7\"}]}], \"references\": [{\"url\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf\", \"name\": \"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc\", \"name\": \"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965\", \"name\": \"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a\", \"name\": \"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49\", \"name\": \"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e\", \"name\": \"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc\", \"name\": \"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4\", \"name\": \"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8\", \"name\": \"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-21T02:06:00.030Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-49295\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-17T20:59:15.978Z\", \"dateReserved\": \"2023-11-24T16:45:24.314Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-01-10T21:40:58.881Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-49295

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-49295

Aliases

CVE-2023-49295

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-49295",
    "id": "GSD-2023-49295"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-49295"
      ],
      "details": "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.",
      "id": "GSD-2023-49295",
      "modified": "2023-12-13T01:20:35.054107Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-49295",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "quic-go",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "= 0.40.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.39.0, \u003c 0.39.4"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.38.0, \u003c 0.38.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 0.37.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "quic-go"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400: Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
          },
          {
            "name": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8",
            "refsource": "MISC",
            "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-ppxx-5m9h-6vxf",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F0754377-65C6-4A24-8041-85F73B5630C9",
                    "versionEndExcluding": "0.37.7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A687FF1B-43B1-4A23-895E-F328C03FA36F",
                    "versionEndExcluding": "0.38.2",
                    "versionStartIncluding": "0.38.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BF599C83-08F6-49B5-965E-927A2004F578",
                    "versionEndExcluding": "0.39.4",
                    "versionStartIncluding": "0.39.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:quic-go_project:quic-go:0.40.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BFFA39B2-37BF-4F09-99CD-3665ABC16177",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4."
          },
          {
            "lang": "es",
            "value": "quic-go es una implementaci\u00f3n del protocolo QUIC (RFC 9000, RFC 9001, RFC 9002) en Go. Un atacante puede hacer que su par se quede sin memoria enviando una gran cantidad de tramas PATH_CHALLENGE. Se supone que el receptor debe responder a cada trama PATH_CHALLENGE con una trama PATH_RESPONSE. El atacante puede evitar que el receptor env\u00ede (la gran mayor\u00eda de) estas tramas PATH_RESPONSE colapsando la ventana de congesti\u00f3n del par (al reconocer selectivamente los paquetes recibidos) y manipulando la estimaci\u00f3n de RTT del par. Esta vulnerabilidad ha sido parcheada en las versiones 0.37.7, 0.38.2 y 0.39.4."
          }
        ],
        "id": "CVE-2023-49295",
        "lastModified": "2024-02-21T03:15:08.410",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.6,
              "impactScore": 4.7,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-10T22:15:50.610",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-400"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

GHSA-PPXX-5M9H-6VXF

Vulnerability from github – Published: 2024-01-10 15:08 – Updated: 2024-05-20 21:59

Summary

quic-go's path validation mechanism can be exploited to cause denial of service

Details

An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.40.0"
            },
            {
              "fixed": "0.40.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.40.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.39.0"
            },
            {
              "fixed": "0.39.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.38.0"
            },
            {
              "fixed": "0.38.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.37.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49295"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T15:08:40Z",
    "nvd_published_at": "2024-01-10T22:15:50Z",
    "severity": "MODERATE"
  },
  "details": "An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate.\n\nI published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/\n\nThere\u0027s no way to mitigate this attack, please update quic-go to a version that contains the fix.",
  "id": "GHSA-ppxx-5m9h-6vxf",
  "modified": "2024-05-20T21:59:16Z",
  "published": "2024-01-10T15:08:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49295"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/quic-go"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG"
    },
    {
      "type": "WEB",
      "url": "https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "quic-go\u0027s path validation mechanism can be exploited to cause denial of service"
}

FKIE_CVE-2023-49295

Vulnerability from fkie_nvd - Published: 2024-01-10 22:15 - Updated: 2024-11-21 08:33

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8	Patch
security-advisories@github.com	https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf	Vendor Advisory
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/

Impacted products

Vendor	Product	Version
quic-go_project	quic-go	*
quic-go_project	quic-go	*
quic-go_project	quic-go	*
quic-go_project	quic-go	0.40.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0754377-65C6-4A24-8041-85F73B5630C9",
              "versionEndExcluding": "0.37.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A687FF1B-43B1-4A23-895E-F328C03FA36F",
              "versionEndExcluding": "0.38.2",
              "versionStartIncluding": "0.38.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BF599C83-08F6-49B5-965E-927A2004F578",
              "versionEndExcluding": "0.39.4",
              "versionStartIncluding": "0.39.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:quic-go_project:quic-go:0.40.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFFA39B2-37BF-4F09-99CD-3665ABC16177",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4."
    },
    {
      "lang": "es",
      "value": "quic-go es una implementaci\u00f3n del protocolo QUIC (RFC 9000, RFC 9001, RFC 9002) en Go. Un atacante puede hacer que su par se quede sin memoria enviando una gran cantidad de tramas PATH_CHALLENGE. Se supone que el receptor debe responder a cada trama PATH_CHALLENGE con una trama PATH_RESPONSE. El atacante puede evitar que el receptor env\u00ede (la gran mayor\u00eda de) estas tramas PATH_RESPONSE colapsando la ventana de congesti\u00f3n del par (al reconocer selectivamente los paquetes recibidos) y manipulando la estimaci\u00f3n de RTT del par. Esta vulnerabilidad ha sido parcheada en las versiones 0.37.7, 0.38.2 y 0.39.4."
    }
  ],
  "id": "CVE-2023-49295",
  "lastModified": "2024-11-21T08:33:12.607",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-01-10T22:15:50.610",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-49295 (GCVE-0-2023-49295)

GSD-2023-49295

GHSA-PPXX-5M9H-6VXF

FKIE_CVE-2023-49295

Tags

Sightings

Nomenclature