Homepage

CVE-2024-22189 Affecting golang-github-lucas-clemente-quic-go package, versions *

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-GOLANGGITHUBLUCASCLEMENTEQUICGO-6564977
  • published5 Apr 2024
  • disclosed4 Apr 2024
Report a new vulnerability Found a mistake?

Introduced: 4 Apr 2024

CVE-2024-22189  (opens in a new tab)

How to fix?

There is no fixed version for Debian:13 golang-github-lucas-clemente-quic-go.

NVD Description

Note: Versions mentioned in the description apply only to the upstream golang-github-lucas-clemente-quic-go package and not the golang-github-lucas-clemente-quic-go package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.