Lucene search

Veracode Vulnerability DatabaseVERACODE:44064

HistoryOct 31, 2023 - 6:01 a.m.

Denial Of Service (DoS)

2023-10-3106:01:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

quic-go

denial of service

mishandling

handshake

application crash

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.4%

JSON

github.com/quic-go/quic-go is vulnerable to Denial Of Service (DoS). The vulnerability is a result of the mishandling of ACK frames that are serialized after CRYPTO frames in connection.go during the node handshake process. This flaw allows a malicious remote node to trigger a null pointer dereference when the node attempts to drop the Handshake packet number space, ultimately leading to an application crash.

CPENameOperatorVersion
github.com/quic-go/quic-golev0.37.2
github.com/quic-go/quic-golev0.37.2

CPE	Name	Operator	Version
	github.com/quic-go/quic-go	le	v0.37.2
	github.com/quic-go/quic-go	le	v0.37.2

References

github.com/advisories/GHSA-3q6m-v84f-6p9h

github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617

github.com/quic-go/quic-go/pull/4018

github.com/quic-go/quic-go/releases/tag/v0.37.3

github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.4%

JSON

Related for VERACODE:44064