CVE-2024-53259Insufficient Verification of Data Authenticity in Quic-go

CWE-345Insufficient Verification of Data Authenticity12 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.8%
top 26.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Quic-goGithub.com Quic-go Quic-goGithub.com Traefik Traefik V2+1 more
Timeline
PublishedDec 2
Latest updateDec 20

Description

quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after complet

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5quic-go/quic-go< 0.48.2

🔴Vulnerability Details

8
OSV
Traefik affected by CVE-2024-53259 in github.com/traefik/traefik2024-12-20
OSV
Traefik affected by CVE-2024-532592024-12-17
GHSA
Traefik affected by CVE-2024-532592024-12-17
OSV
ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go2024-12-04
GHSA
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux2024-12-02

📋Vendor Advisories

3
Microsoft
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux2024-12-10
Red Hat
quic-go: quic-go affected by an ICMP Packet Too Large Injection Attack on Linux2024-12-02
Debian
CVE-2024-53259: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. An off-path attacker ca...2024
CVE-2024-53259 — Quic-go vulnerability | cvebase