CVE-2024-1765
MEDIUM5.9EPSS 5.5%quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding
發布日:2024/3/13修改日:2026/3/13
描述
### Impact Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker. ### Patches Quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.
受影響套件(1)
- crates.io/quichefrom 0, < 0.19.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-1765
- PATCHhttps://github.com/cloudflare/quiche
- WEBhttps://github.com/cloudflare/quiche/commit/1017466c143fc93a82b286a1ba35e53334cdf8e2
- WEBhttps://github.com/cloudflare/quiche/commit/11dbf5461ab657bbc02e466d719070124b27ef3c
- WEBhttps://github.com/cloudflare/quiche/releases/tag/0.19.2
- WEBhttps://github.com/cloudflare/quiche/releases/tag/0.20.1
- WEBhttps://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g