GHSA-78wx-jg4j-5j6g

Source
https://github.com/advisories/GHSA-78wx-jg4j-5j6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-78wx-jg4j-5j6g/GHSA-78wx-jg4j-5j6g.json
Aliases
  • CVE-2024-1765
Published
2024-03-13T15:39:40Z
Modified
2024-03-13T16:11:39.617002Z
Details

Impact

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.

A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker.

Patches

Quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

References

Affected packages

crates.io / quiche

Package

Name
quiche

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
0.19.2

crates.io / quiche

Package

Name
quiche

Affected ranges

Type
SEMVER
Events
Introduced
0.20.0
Fixed
0.20.1