CVE-2022-30591Uncontrolled Resource Consumption in Project Quic-go

CWE-400Uncontrolled Resource Consumption6 documents5 sources
Severity
7.5HIGHNVD
EPSS
11.9%
top 6.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Quic-go Project Quic-go
Timeline
PublishedJul 6
Latest updateJul 7

Description

quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

4
GHSA
GHSA-w2rh-hf85-pfh4: ** DISPUTED ** quic-go through 02022-07-07
OSV
CVE-2022-30591: ** DISPUTED ** quic-go through 02022-07-06
CVEList
CVE-2022-30591: quic-go through 02022-07-06
OSV
CVE-2022-30591: quic-go through 02022-07-06

📋Vendor Advisories

1
Debian
CVE-2022-30591: golang-github-lucas-clemente-quic-go - quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU...2022
CVE-2022-30591 — Uncontrolled Resource Consumption | cvebase