CVE-2024-1765

2024-03-1218:15:07

CWE-770

CWE-400

[email protected]

web.nvd.nist.gov

cloudflare

quiche

cve-2024-1765

resource allocation

vulnerability

memory usage

remote attacker

quic handshake

exploitation

nvd

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.
A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.
Exploitation was possible for the duration of the connection which could be extended by the attacker.
quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "quiche",
    "platforms": [
      "Rust"
    ],
    "product": "quiche",
    "vendor": "Cloudflare",
    "versions": [
      {
        "lessThanOrEqual": "<0.19.1",
        "status": "affected",
        "version": "0.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "<0.20.1",
        "status": "affected",
        "version": "0.20.0",
        "versionType": "semver"
      }
    ]
  }
]