Fluid Attacks Database

Description

A flaw was found in Golang. QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With the fix, connections now consistently reject messages larger than 65KiB in size.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=1.21.0-0 <1.21.1	1.21.1
rpm rhel9	buildah	<1:1.31.3-2.el9_3	1:1.31.3-2.el9_3
rpm rhel9	podman	<2:4.6.1-7.el9_3	2:4.6.1-7.el9_3
rpm rhel9	ignition	-	-
rpm rhel9	butane	-	-
rpm rhel9	conmon	-	-
rpm rhel9	containernetworking-plugins	<1:1.3.0-6.el9_3	1:1.3.0-6.el9_3
rpm rhel8	git-lfs	-	-
rpm rhel9	git-lfs	<0:3.6.1-1.el9	0:3.6.1-1.el9
rpm rhel8	go-toolset	<0:1.20.10-1.module+el8.9.0+20382+04f7fe80	0:1.20.10-1.module+el8.9.0+20382+04f7fe80

1-10 of 16

Aliases

1. CVE-2023-393222. NVD-2023-393223. OSV-GO-2023-20454. OSV-2023-393225. GCVE-2023-39322

References

1. https://go.dev/issue/622662. https://go.dev/cl/5230393. https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.