Vulnerability Description
quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An attacker can bring down a quic-go node with very minimal effort. Completing the QUIC handshake only requires sending and receiving a few packets. Version 0.37.3 contains a patch. Versions before 0.37.0 are not affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quic-Go Project | Quic-Go | >= 0.37.0, < 0.37.3 |
Related Weaknesses (CWE)
References
- https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea16Patch
- https://github.com/quic-go/quic-go/releases/tag/v0.37.3Release Notes
- https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9hPatchVendor Advisory
- https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea16Patch
- https://github.com/quic-go/quic-go/releases/tag/v0.37.3Release Notes
- https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9hPatchVendor Advisory
FAQ
What is CVE-2023-46239?
CVE-2023-46239 is a vulnerability with a CVSS score of 7.5 (HIGH). quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handsha...
How severe is CVE-2023-46239?
CVE-2023-46239 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-46239?
Check the references section above for vendor advisories and patch information. Affected products include: Quic-Go Project Quic-Go.