Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0zcTZtLXY4NGYtNnA5aM4AA2xM

quic-go vulnerable to pointer dereference that can lead to panic

quic-go is an implementation of the QUIC transport protocol in Go. By serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space.

Impact

An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets.

Patches

v0.37.3 contains a patch. Versions before v0.37.0 are not affected.

Permalink: https://github.com/advisories/GHSA-3q6m-v84f-6p9h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zcTZtLXY4NGYtNnA5aM4AA2xM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-3q6m-v84f-6p9h, CVE-2023-46239
References:

• https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
• https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
• https://github.com/quic-go/quic-go/releases/tag/v0.37.3
• https://nvd.nist.gov/vuln/detail/CVE-2023-46239
• https://github.com/advisories/GHSA-3q6m-v84f-6p9h

Repository: https://github.com/quic-go/quic-go
Blast Radius: 22.9

Affected Packages