CVE-2024-22189

EPSS 0.07%
Veröffentlicht 04.04.2024 15:15:37
Zuletzt bearbeitet 21.11.2024 08:55:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerquic-go_project

≫

Produkt quic-go

Default Statusunknown

Version < 0.42.0

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.205

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a

https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478

https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management

https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s

https://nvd.nist.gov/vuln/detail/CVE-2024-22189

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22189

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22189

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-22189