CVE-2024-22189

Aliases:GHSA-c33x-xqrf-c478GO-2024-2682

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2024-22189 OPENSUSE-SU-2024:0211-1 OPENSUSE-SU-2024:0220-1 OPENSUSE-SU-2024:0319-1 OPENSUSE-SU-2024:13845-1 OPENSUSE-SU-2024:13847-1

Deferred

Published: 04 Apr 2024, 14:25

Last modified:23 Aug 2024, 19:29

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.09% LOW

0% probability +0.02%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

04 Apr 2024, 14:25

Published

Vulnerability first disclosed

23 Aug 2024, 19:29

Last Modified

Vulnerability information updated

Description

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.09%• Percentile: 25%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

github.com/quic-go•quic-go
< 0.42.0
quic-go•quic-go
< 0.42.0