blob: 6fbecbd806b38f8c30f6f0f1402d94149b63995d [file] [log] [blame]
id: GO-2023-2044
modules:
- module: std
versions:
- introduced: 1.21.0-0
- fixed: 1.21.1
vulnerable_at: 1.21.0
packages:
- package: crypto/tls
symbols:
- QUICConn.HandleData
summary: Panic when processing post-handshake message on QUIC connections in crypto/tls
description: |-
Processing an incomplete post-handshake message for a QUIC connection can cause
a panic.
credits:
- Marten Seemann
references:
- report: https://go.dev/issue/62266
- fix: https://go.dev/cl/523039
- web: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
cve_metadata:
id: CVE-2023-39321
cwe: 'CWE-400: Uncontrolled Resource Consumption'
references:
- https://security.netapp.com/advisory/ntap-20231020-0004/
- https://security.gentoo.org/glsa/202311-09
review_status: REVIEWED