CVE-2023-6193

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-6193

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6193.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-6193

Aliases

GHSA-w3vp-jw9m-f9pm

Published

2023-12-12T14:15:07Z

Modified

2024-06-06T14:26:25.747720Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATHCHALLENGE frame responds by sending a PATHRESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATHCHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATHRESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. Quiche versions greater than 0.19.0 address this problem.

References

Affected packages

Git / github.com/cloudflare/quiche

Affected ranges

Type: GIT
Repo: https://github.com/cloudflare/quiche
Events: Introduced

39db87204ade573270a19d9218ef79503d01e21e

Last affected

af368e9287ea975d184f9f66df52dbf109adf0e4

Affected versions

0.*

0.15.0

0.16.0

0.17.1

0.17.2

0.18.0

0.19.0