Headline

GHSA-3q6m-v84f-6p9h: quic-go vulnerable to pointer dereference that can lead to panic

quic-go is an implementation of the QUIC transport protocol in Go. By serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space.

Impact

An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets.

Patches

v0.37.3 contains a patch. Versions before v0.37.0 are not affected.

1 year ago

ghsa

Open in Source

#git

GitHub Advisory Database
GitHub Reviewed
CVE-2023-46239

quic-go vulnerable to pointer dereference that can lead to panic

Moderate severity GitHub Reviewed Published Oct 27, 2023 in quic-go/quic-go • Updated Oct 30, 2023

Package

gomod github.com/quic-go/quic-go (Go)

Affected versions

>= 0.37.0, < 0.37.3

Impact

An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets.

Patches

v0.37.3 contains a patch. Versions before v0.37.0 are not affected.

References

GHSA-3q6m-v84f-6p9h
quic-go/quic-go@b6a4725
https://github.com/quic-go/quic-go/releases/tag/v0.37.3

Published to the GitHub Advisory Database

Oct 30, 2023

Last updated

Oct 30, 2023

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.

1 year ago

CVE

Open in Source

#acer