data/reports: add GO-2024-2682.yaml
Aliases: CVE-2024-22189, GHSA-c33x-xqrf-c478
Fixes golang/vulndb#2682
Change-Id: I298961e72d34e367f5070f9f55dd02e8b6120b5f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576755
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/osv/GO-2024-2682.json b/data/osv/GO-2024-2682.json
new file mode 100644
index 0000000..9f3b4ef
--- /dev/null
+++ b/data/osv/GO-2024-2682.json
@@ -0,0 +1,106 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2682",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-22189",
+ "GHSA-c33x-xqrf-c478"
+ ],
+ "summary": "Denial of service via connection starvation in github.com/quic-go/quic-go",
+ "details": "An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/quic-go/quic-go",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "0.42.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/quic-go/quic-go",
+ "symbols": [
+ "Dial",
+ "DialAddr",
+ "DialAddrEarly",
+ "DialEarly",
+ "Listen",
+ "ListenAddr",
+ "ListenAddrEarly",
+ "ListenEarly",
+ "Transport.Dial",
+ "Transport.DialEarly",
+ "Transport.Listen",
+ "Transport.ListenEarly",
+ "connIDGenerator.Retire",
+ "connIDGenerator.SetMaxActiveConnIDs",
+ "connIDManager.Add",
+ "connIDManager.Get",
+ "connection.AcceptStream",
+ "connection.AcceptUniStream",
+ "connection.OpenStream",
+ "connection.OpenStreamSync",
+ "connection.OpenUniStream",
+ "connection.OpenUniStreamSync",
+ "connection.run",
+ "framerI.AppendStreamFrames",
+ "framerI.QueueControlFrame",
+ "packetPacker.AppendPacket",
+ "packetPacker.MaybePackProbePacket",
+ "packetPacker.PackAckOnlyPacket",
+ "packetPacker.PackApplicationClose",
+ "packetPacker.PackCoalescedPacket",
+ "packetPacker.PackConnectionClose",
+ "packetPacker.PackMTUProbePacket",
+ "receiveStream.CancelRead",
+ "receiveStream.CloseRemote",
+ "receiveStream.Read",
+ "sendStream.CancelWrite",
+ "streamsMap.AcceptStream",
+ "streamsMap.AcceptUniStream",
+ "streamsMap.DeleteStream",
+ "streamsMap.HandleMaxStreamsFrame",
+ "streamsMap.OpenStream",
+ "streamsMap.OpenStreamSync",
+ "streamsMap.OpenUniStream",
+ "streamsMap.OpenUniStreamSync",
+ "streamsMap.UpdateLimits",
+ "windowUpdateQueue.QueueAll"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a"
+ },
+ {
+ "type": "WEB",
+ "url": "https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management"
+ }
+ ],
+ "credits": [
+ {
+ "name": "marten-seemann"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2682"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2682.yaml b/data/reports/GO-2024-2682.yaml
new file mode 100644
index 0000000..e03ff68
--- /dev/null
+++ b/data/reports/GO-2024-2682.yaml
@@ -0,0 +1,74 @@
+id: GO-2024-2682
+modules:
+ - module: github.com/quic-go/quic-go
+ versions:
+ - fixed: 0.42.0
+ vulnerable_at: 0.41.0
+ packages:
+ - package: github.com/quic-go/quic-go
+ symbols:
+ - framerI.QueueControlFrame
+ - connection.run
+ derived_symbols:
+ - Dial
+ - DialAddr
+ - DialAddrEarly
+ - DialEarly
+ - Listen
+ - ListenAddr
+ - ListenAddrEarly
+ - ListenEarly
+ - Transport.Dial
+ - Transport.DialEarly
+ - Transport.Listen
+ - Transport.ListenEarly
+ - connIDGenerator.Retire
+ - connIDGenerator.SetMaxActiveConnIDs
+ - connIDManager.Add
+ - connIDManager.Get
+ - connection.AcceptStream
+ - connection.AcceptUniStream
+ - connection.OpenStream
+ - connection.OpenStreamSync
+ - connection.OpenUniStream
+ - connection.OpenUniStreamSync
+ - framerI.AppendStreamFrames
+ - packetPacker.AppendPacket
+ - packetPacker.MaybePackProbePacket
+ - packetPacker.PackAckOnlyPacket
+ - packetPacker.PackApplicationClose
+ - packetPacker.PackCoalescedPacket
+ - packetPacker.PackConnectionClose
+ - packetPacker.PackMTUProbePacket
+ - receiveStream.CancelRead
+ - receiveStream.CloseRemote
+ - receiveStream.Read
+ - sendStream.CancelWrite
+ - streamsMap.AcceptStream
+ - streamsMap.AcceptUniStream
+ - streamsMap.DeleteStream
+ - streamsMap.HandleMaxStreamsFrame
+ - streamsMap.OpenStream
+ - streamsMap.OpenStreamSync
+ - streamsMap.OpenUniStream
+ - streamsMap.OpenUniStreamSync
+ - streamsMap.UpdateLimits
+ - windowUpdateQueue.QueueAll
+summary: Denial of service via connection starvation in github.com/quic-go/quic-go
+description: |-
+ An attacker can cause its peer to run out of memory by sending a large number of
+ NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is
+ supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame.
+ The attacker can prevent the receiver from sending out (the vast majority of)
+ these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by
+ selectively acknowledging received packets) and by manipulating the peer's RTT
+ estimate.
+cves:
+ - CVE-2024-22189
+ghsas:
+ - GHSA-c33x-xqrf-c478
+credits:
+ - marten-seemann
+references:
+ - fix: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
+ - web: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
