CVE-2023-46239

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617	Patch
https://github.com/quic-go/quic-go/releases/tag/v0.37.3	Release Notes
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*

History

09 Nov 2023, 00:14

Type	Values Removed	Values Added
First Time		Quic-go Project quic-go Quic-go Project
CWE	~~CWE-248~~	CWE-476
CPE		cpe:2.3:a:quic-go_project:quic-go::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~(MISC) https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h -~~	(MISC) https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h - Patch, Vendor Advisory
References	~~(MISC) https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 -~~	(MISC) https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 - Patch
References	~~(MISC) https://github.com/quic-go/quic-go/releases/tag/v0.37.3 -~~	(MISC) https://github.com/quic-go/quic-go/releases/tag/v0.37.3 - Release Notes

31 Oct 2023, 17:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-31 16:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-46239

Mitre link : CVE-2023-46239

CVE.ORG link : CVE-2023-46239

JSON object : View

Products Affected

quic-go_project

quic-go

CWE

CWE-476

NULL Pointer Dereference

CWE-248

Uncaught Exception

{"id": "CVE-2023-46239", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-31T16:15:09.543", "references": [{"url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected."}, {"lang": "es", "value": "quic-go es una implementaci\u00f3n del protocolo QUIC en Go. A partir de la versi\u00f3n 0.37.0 y antes de la versi\u00f3n 0.37.3, al serializar una trama ACK despu\u00e9s de CRYTPO que permite que un nodo complete el protocolo de enlace, un nodo remoto podr\u00eda desencadenar una desreferencia de puntero nulo (lo que lleva a p\u00e1nico) cuando el nodo intenta para eliminar el espacio del n\u00famero del paquete Handshake. Un atacante puede derribar un nodo r\u00e1pido con un esfuerzo m\u00ednimo. Completar el protocolo de enlace QUIC solo requiere enviar y recibir algunos paquetes. La versi\u00f3n 0.37.3 contiene un parche. Las versiones anteriores a la 0.37.0 no se ven afectadas."}], "lastModified": "2023-11-09T00:14:04.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4D3D28F-FF90-4B7E-99E8-64325B9B7D08", "versionEndExcluding": "0.37.3", "versionStartIncluding": "0.37.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}