GHSA-5r5h-q934-cccp

Suggest an improvement
Source
https://github.com/advisories/GHSA-5r5h-q934-cccp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-5r5h-q934-cccp/GHSA-5r5h-q934-cccp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5r5h-q934-cccp
Aliases
Related
Published
2023-11-06T18:30:19Z
Modified
2023-11-08T15:26:33.607785Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Calico Typha denial of service vulnerability
Details

In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.

Database specific 
{
    "nvd_published_at": "2023-11-06T16:15:42Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-08T14:52:23Z"
}
References

Affected packages

Go / github.com/projectcalico/calico

Package

Name
github.com/projectcalico/calico
View open source insights on deps.dev
Purl
pkg:golang/github.com/projectcalico/calico

Affected ranges

Type
SEMVER
Events
Introduced
3.26.0
Fixed
3.26.3

Go / github.com/projectcalico/calico

Package

Name
github.com/projectcalico/calico
View open source insights on deps.dev
Purl
pkg:golang/github.com/projectcalico/calico

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.25.1