CVE-2023-39321
published 2023-09-08CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.15%
62.8th percentile
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| go_standard_library | crypto_tls | >= 1.21.0-0 < 1.21.1 | 1.21.1 |
| golang | go | >= 1.21.0 < 1.21.1 | 1.21.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: crypto/tls: panic when processing post-handshake message on QUIC connections
vendor_redhat·2023-09-06·CVSS 7.5
CVE-2023-39321 [HIGH] CWE-805 golang: crypto/tls: panic when processing post-handshake message on QUIC connections
golang: crypto/tls: panic when processing post-handshake message on QUIC connections
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic.
Statement: The flaw has been marked as moderate instead of high like NVD
QUICConn.HandleData buffers data and passes it to handlePostHandshakeMessage every time the buffer contains a complete message, while HandleData doesn't limit the amount of data it can buffer, a panic or denial of service would likely be lower severity,also in order to exploit this vulnerability, an attacker would have to smuggle partial handshake data which might be rejected altogether as per tls RFC specification.Therfore because
GHSA
GHSA-9v7r-x7cv-v437: Processing an incomplete post-handshake message for a QUIC connection can cause a panic
ghsa_unreviewed·2023-09-08
CVE-2023-39321 [HIGH] CWE-400 GHSA-9v7r-x7cv-v437: Processing an incomplete post-handshake message for a QUIC connection can cause a panic
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
OSV
CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic
osv·2023-09-08·CVSS 7.5
CVE-2023-39321 [HIGH] CVE-2023-39321: Processing an incomplete post-handshake message for a QUIC connection can cause a panic
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
OSV
Panic when processing post-handshake message on QUIC connections in crypto/tls
osv·2023-09-07
CVE-2023-39321 Panic when processing post-handshake message on QUIC connections in crypto/tls
Panic when processing post-handshake message on QUIC connections in crypto/tls
Processing an incomplete post-handshake message for a QUIC connection can cause a panic.
No detection rules found.
No public exploits indexed.
https://go.dev/cl/523039https://go.dev/issue/62266https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2044https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0004/https://go.dev/cl/523039https://go.dev/issue/62266https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2044https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0004/
2023-09-08
Published