Fluid Attacks Database

Description

quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	golang-github-lucas-clemente-quic-go	=0.29.0-1 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 13	golang-github-lucas-clemente-quic-go	=0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 14	golang-github-lucas-clemente-quic-go	=0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 11	golang-github-lucas-clemente-quic-go	=0.19.3-1 \|\| =0.24.0-1 \|\| =0.25.0-1 \|\| =0.26.0-1 \|\| =0.26.0-1~bpo11+1 \|\| =0.29.0-1 \|\| =0.29.0-1~bpo11+1 \|\| =0.29.0-1~bpo11+2 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
go	github.com/lucas-clemente/quic-go	>=0 <=0.27.0	0.27.1

Aliases

1. CVE-2022-305912. NVD-2022-305913. OSV-DEBIAN-2022-305914. OSV-2022-305915. GCVE-2022-305916. SECURITY-TRACKER-CVE-2022-30591

References

1. https://github.com/efchatz/QUIC-attacks2. https://github.com/lucas-clemente/quic-go/blob/84e03e59760ceee37359688871bb0688fcc4e98f/mtu_discoverer.go

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.