{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6193", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-11-17T14:39:07.534Z", "datePublished": "2023-12-12T13:32:03.183Z", "dateUpdated": "2024-08-02T08:21:17.737Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "cloudflare-quiche", "product": "quiche", "vendor": "Cloudflare", "versions": [{"lessThanOrEqual": "0.19.0", "status": "affected", "version": "0.15.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Marten Seemann "}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.<br>QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. <br>Quiche versions greater than 0.19.0 address this problem."}], "value": "quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.\nQUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. \nQuiche versions greater than 0.19.0 address this problem."}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-272", "descriptions": [{"lang": "en", "value": "CAPEC-272 Protocol Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-12-12T13:32:03.183Z"}, "references": [{"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm"}, {"url": "https://datatracker.ietf.org/doc/html/rfc9000#section-8.2"}], "source": {"discovery": "EXTERNAL"}, "title": "Unbounded queuing of path validation messages in cloudflare-quiche", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.737Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm", "tags": ["x_transferred"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc9000#section-8.2", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:quiche:*:*:*:*:*:*:*:*", "matchCriteriaId": "754F9BC1-68D8-4071-A987-42FFCD3AE06D", "versionEndIncluding": "0.19.0", "versionStartIncluding": "0.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.\nQUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. \nQuiche versions greater than 0.19.0 address this problem."}, {"lang": "es", "value": "Se descubri\u00f3 que quiche v. 0.15.0 a 0.19.0 era vulnerable a colas ilimitadas de mensajes de validaci\u00f3n de ruta, lo que podr\u00eda provocar un consumo excesivo de recursos. La validaci\u00f3n de ruta QUIC (RFC 9000 Secci\u00f3n 8.2) requiere que el destinatario de una trama PATH_CHALLENGE responda enviando una PATH_RESPONSE. Un atacante remoto no autenticado puede explotar la vulnerabilidad enviando tramas PATH_CHALLENGE y manipulando la conexi\u00f3n (por ejemplo, restringiendo el tama\u00f1o de la ventana de congesti\u00f3n del par) de modo que las tramas PATH_RESPONSE s\u00f3lo puedan enviarse a una velocidad m\u00e1s lenta de la que se reciben; lo que lleva al almacenamiento de datos de validaci\u00f3n de ruta en una cola ilimitada. Las versiones de Quiche superiores a 0.19.0 solucionan este problema."}], "id": "CVE-2023-6193", "lastModified": "2023-12-14T20:19:39.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-12-12T14:15:07.797", "references": [{"source": "cna@cloudflare.com", "tags": ["Technical Description"], "url": "https://datatracker.ietf.org/doc/html/rfc9000#section-8.2"}, {"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}

{}