CVE-2023-46239Uncaught Exception in Quic-go Quic-go

CWE-248Uncaught ExceptionCWE-476NULL Pointer Dereference7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 37.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Quic-go Quic-goQuic-go Project Quic-goQuic-go
Timeline
PublishedOct 31
Latest updateNov 2

Description

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Versi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDquic-go_project/quic-go0.37.00.37.3
Gogithub.com/quic-go_quic-go0.37.00.37.3
CVEListV5quic-go/quic-go>= 0.37.0, < 0.37.3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Panic during QUIC handshake in github.com/quic-go/quic-go2023-11-02
CVEList
quic-go vulnerable to pointer dereference that can lead to panic2023-10-31
OSV
CVE-2023-46239: quic-go is an implementation of the QUIC protocol in Go2023-10-31
GHSA
quic-go vulnerable to pointer dereference that can lead to panic2023-10-30
OSV
quic-go vulnerable to pointer dereference that can lead to panic2023-10-30

📋Vendor Advisories

1
Debian
CVE-2023-46239: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.3...2023
CVE-2023-46239 — Uncaught Exception in Quic-go Quic-go | cvebase