CVE-2024-22189
Description
quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/quic-goGo | < 0.42.0 | 0.42.0 |
Affected products
45- osv-coords44 versionspkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/caddy-manpkg:apk/chainguard/caddy-srcpkg:apk/chainguard/cloudflaredpkg:apk/chainguard/corednspkg:apk/chainguard/coredns-compatpkg:apk/chainguard/coredns-fipspkg:apk/chainguard/eks-distro-coredns-1.9pkg:apk/chainguard/go-ipfs-fipspkg:apk/chainguard/ipfspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-staticpkg:apk/chainguard/kuma-corednspkg:apk/chainguard/qpkg:apk/wolfi/caddypkg:apk/wolfi/caddy-manpkg:apk/wolfi/caddy-srcpkg:apk/wolfi/cloudflaredpkg:apk/wolfi/corednspkg:apk/wolfi/coredns-compatpkg:apk/wolfi/ipfspkg:apk/wolfi/k3spkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-staticpkg:apk/wolfi/kuma-corednspkg:apk/wolfi/qpkg:golang/github.com/quic-go/quic-gopkg:rpm/opensuse/caddy&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/caddy&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/caddy&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/coredns&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/coredns&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/dnscrypt-proxy&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/kubo&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/syncthing&distro=openSUSE%20Tumbleweedpkg:rpm/suse/caddy&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/caddy&distro=SUSE%20Package%20Hub%2015%20SP6pkg:rpm/suse/coredns&distro=SUSE%20Package%20Hub%2015%20SP6
< 2.7.6-r6+ 43 more
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2.7.6-r4
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2024.1.0-r7
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 1.12.0-r9
- (no CPE)range: < 1.9.3-r4
- (no CPE)range: < 0.27.0-r3
- (no CPE)range: < 0.28.0-r0
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 0.19.2-r2
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2.7.6-r6
- (no CPE)range: < 2024.1.0-r7
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 0.28.0-r0
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.29.3-r3
- (no CPE)range: < 1.11.1-r12
- (no CPE)range: < 0.19.2-r2
- (no CPE)range: < 0.42.0
- (no CPE)range: < 2.8.4-bp155.2.3.1
- (no CPE)range: < 2.8.4-bp156.3.3.1
- (no CPE)range: < 2.8.4-1.1
- (no CPE)range: < 1.11.3-bp156.4.3.1
- (no CPE)range: < 1.11.1-5.1
- (no CPE)range: < 2.1.16-bp160.1.1
- (no CPE)range: < 0.27.0-2.1
- (no CPE)range: < 1.27.6-1.1
- (no CPE)range: < 2.8.4-bp155.2.3.1
- (no CPE)range: < 2.8.4-bp156.3.3.1
- (no CPE)range: < 1.11.3-bp156.4.3.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-c33x-xqrf-c478ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22189ghsaADVISORY
- github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47anvdWEB
- github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478nvdWEB
- seemann.io/posts/2024-03-19-exploiting-quics-connection-id-managementnvdWEB
- www.youtube.com/watchnvdWEB
News mentions
0No linked articles in our index yet.