quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.
Metrics
Affected Vendors & Products
References
History
Tue, 29 Oct 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat ansible Automation Platform
|
|
CPEs | cpe:/a:redhat:ansible_automation_platform:2.5::el8 cpe:/a:redhat:ansible_automation_platform:2.5::el9 |
|
Vendors & Products |
Redhat ansible Automation Platform
|
Thu, 08 Aug 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat service Mesh
|
|
CPEs | cpe:/a:redhat:service_mesh:2.6::el8 cpe:/a:redhat:service_mesh:2.6::el9 |
|
Vendors & Products |
Redhat service Mesh
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-04-04T14:25:43.663Z
Updated: 2024-08-23T19:29:41.592Z
Reserved: 2024-01-08T04:59:27.370Z
Link: CVE-2024-22189
Vulnrichment
Updated: 2024-08-01T22:35:34.903Z
NVD
Status : Awaiting Analysis
Published: 2024-04-04T15:15:37.990
Modified: 2024-11-21T08:55:45.517
Link: CVE-2024-22189
Redhat