CVE-2023-46239 - OpenCVE

quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Quic-go Project	Quic-go

Configuration 1 [-]

cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
https://github.com/quic-go/quic-go/releases/tag/v0.37.3
https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-31T15:02:03.413Z

Updated: 2024-09-05T17:37:20.453Z

Reserved: 2023-10-19T20:34:00.947Z

Link: CVE-2023-46239

Vulnrichment

Updated: 2024-08-02T20:37:40.330Z

NVD

Status : Analyzed

Published: 2023-10-31T16:15:09.543

Modified: 2023-11-09T00:14:04.070

Link: CVE-2023-46239

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46239", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.947Z", "datePublished": "2023-10-31T15:02:03.413Z", "dateUpdated": "2024-09-05T17:37:20.453Z"}, "containers": {"cna": {"title": "quic-go vulnerable to pointer dereference that can lead to panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "lang": "en", "description": "CWE-248: Uncaught Exception", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h"}, {"name": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "tags": ["x_refsource_MISC"], "url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617"}, {"name": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3"}], "affected": [{"vendor": "quic-go", "product": "quic-go", "versions": [{"version": ">= 0.37.0, < 0.37.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-31T15:02:03.413Z"}, "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected."}], "source": {"advisory": "GHSA-3q6m-v84f-6p9h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.330Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h"}, {"name": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617"}, {"name": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T17:36:38.496208Z", "id": "CVE-2023-46239", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:37:20.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "name": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "name": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.330Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46239", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T17:36:38.496208Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:37:14.283Z"}}], "cna": {"title": "quic-go vulnerable to pointer dereference that can lead to panic", "source": {"advisory": "GHSA-3q6m-v84f-6p9h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "quic-go", "product": "quic-go", "versions": [{"status": "affected", "version": ">= 0.37.0, < 0.37.3"}]}], "references": [{"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "name": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "name": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-31T15:02:03.413Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46239", "state": "PUBLISHED", "dateUpdated": "2024-09-05T17:37:20.453Z", "dateReserved": "2023-10-19T20:34:00.947Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-31T15:02:03.413Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D3D28F-FF90-4B7E-99E8-64325B9B7D08", "versionEndExcluding": "0.37.3", "versionStartIncluding": "0.37.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected."}, {"lang": "es", "value": "quic-go es una implementaci\u00f3n del protocolo QUIC en Go. A partir de la versi\u00f3n 0.37.0 y antes de la versi\u00f3n 0.37.3, al serializar una trama ACK despu\u00e9s de CRYTPO que permite que un nodo complete el protocolo de enlace, un nodo remoto podr\u00eda desencadenar una desreferencia de puntero nulo (lo que lleva a p\u00e1nico) cuando el nodo intenta para eliminar el espacio del n\u00famero del paquete Handshake. Un atacante puede derribar un nodo r\u00e1pido con un esfuerzo m\u00ednimo. Completar el protocolo de enlace QUIC solo requiere enviar y recibir algunos paquetes. La versi\u00f3n 0.37.3 contiene un parche. Las versiones anteriores a la 0.37.0 no se ven afectadas."}], "id": "CVE-2023-46239", "lastModified": "2023-11-09T00:14:04.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-31T16:15:09.543", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/quic-go/quic-go/releases/tag/v0.37.3"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-248"}], "source": "security-advisories@github.com", "type": "Secondary"}]}