data/reports/GO-2023-2160.yaml - vulndb - Git at Google

 id: GO-2023-2160
 modules:
     - module: github.com/quic-go/quic-go
       versions:
         - introduced: 0.37.0
           fixed: 0.37.3
       vulnerable_at: 0.37.2
       packages:
         - package: github.com/quic-go/quic-go
 summary: Panic during QUIC handshake in github.com/quic-go/quic-go
 description: |-
     The QUIC handshake can cause a panic when processing a certain sequence of
     frames. A malicious peer can deliberately trigger this panic.
 cves:
     - CVE-2023-46239
 ghsas:
     - GHSA-3q6m-v84f-6p9h
 references:
     - advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
     - fix: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
 notes:
     - No symbols, because the only vulnerable versions only build with unreleased versions of Go and the vulnerability affects all users of the package anyway.
 review_status: REVIEWED
	id: GO-2023-2160
	modules:
	- module: github.com/quic-go/quic-go
	versions:
	- introduced: 0.37.0
	fixed: 0.37.3
	vulnerable_at: 0.37.2
	packages:
	- package: github.com/quic-go/quic-go
	summary: Panic during QUIC handshake in github.com/quic-go/quic-go
	description: \|-
	The QUIC handshake can cause a panic when processing a certain sequence of
	frames. A malicious peer can deliberately trigger this panic.
	cves:
	- CVE-2023-46239
	ghsas:
	- GHSA-3q6m-v84f-6p9h
	references:
	- advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
	- fix: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
	notes:
	- No symbols, because the only vulnerable versions only build with unreleased versions of Go and the vulnerability affects all users of the package anyway.
	review_status: REVIEWED