GHSA-78wx-jg4j-5j6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-78wx-jg4j-5j6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-78wx-jg4j-5j6g/GHSA-78wx-jg4j-5j6g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-78wx-jg4j-5j6g
Aliases
  • CVE-2024-1765
Published
2024-03-13T15:39:40Z
Modified
2024-03-13T16:11:39.617002Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding
Details

Impact

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.

A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker.

Patches

Quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

Database specific
{
    "nvd_published_at": "2024-03-12T18:15:07Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T15:39:40Z"
}
References

Affected packages

crates.io / quiche

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.19.2

crates.io / quiche

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.20.0
Fixed
0.20.1