CVE-2024-22189Allocation of Resources Without Limits or Throttling in Quic-go

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 79.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Quic-goGithub.com Quic-go Quic-go
Timeline
PublishedApr 4
Latest updateApr 9

Description

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledgi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5quic-go/quic-go< 0.42.0

🔴Vulnerability Details

5
OSV
Denial of service via connection starvation in github.com/quic-go/quic-go2024-04-05
CVEList
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack2024-04-04
OSV
CVE-2024-22189: quic-go is an implementation of the QUIC protocol in Go2024-04-04
OSV
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack2024-04-02
GHSA
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack2024-04-02

📋Vendor Advisories

3
Microsoft
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack2024-04-09
Red Hat
quic-go: memory exhaustion attack against QUIC's connection ID mechanism2024-04-04
Debian
CVE-2024-22189: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0...2024
CVE-2024-22189 — Quic-go vulnerability | cvebase