blob: 48360b1fcd0735813b9f5d4cb5bf3bcfe832c70b [file] [log] [blame]
id: GO-2023-2160
modules:
- module: github.com/quic-go/quic-go
versions:
- introduced: 0.37.0
- fixed: 0.37.3
vulnerable_at: 0.37.2
packages:
- package: github.com/quic-go/quic-go
summary: Panic during QUIC handshake in github.com/quic-go/quic-go
description: |-
The QUIC handshake can cause a panic when processing a certain sequence of
frames. A malicious peer can deliberately trigger this panic.
cves:
- CVE-2023-46239
ghsas:
- GHSA-3q6m-v84f-6p9h
references:
- advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h
- fix: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617
notes:
- No symbols, because the only vulnerable versions only build with unreleased versions of Go and the vulnerability affects all users of the package anyway.
review_status: REVIEWED