data/reports: add GO-2024-2682.yaml

zpavlinovic · zpavlinovic · commit 6651075da8d2 · 2024-04-05T16:53:41.000Z
Aliases: CVE-2024-22189, GHSA-c33x-xqrf-c478 Fixes #2682 Change-Id: I298961e72d34e367f5070f9f55dd02e8b6120b5f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/576755 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/data/osv/GO-2024-2682.json b/data/osv/GO-2024-2682.json
@@ -0,0 +1,106 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2682",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-22189",
+    "GHSA-c33x-xqrf-c478"
+  ],
+  "summary": "Denial of service via connection starvation in github.com/quic-go/quic-go",
+  "details": "An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/quic-go/quic-go",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.42.0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/quic-go/quic-go",
+            "symbols": [
+              "Dial",
+              "DialAddr",
+              "DialAddrEarly",
+              "DialEarly",
+              "Listen",
+              "ListenAddr",
+              "ListenAddrEarly",
+              "ListenEarly",
+              "Transport.Dial",
+              "Transport.DialEarly",
+              "Transport.Listen",
+              "Transport.ListenEarly",
+              "connIDGenerator.Retire",
+              "connIDGenerator.SetMaxActiveConnIDs",
+              "connIDManager.Add",
+              "connIDManager.Get",
+              "connection.AcceptStream",
+              "connection.AcceptUniStream",
+              "connection.OpenStream",
+              "connection.OpenStreamSync",
+              "connection.OpenUniStream",
+              "connection.OpenUniStreamSync",
+              "connection.run",
+              "framerI.AppendStreamFrames",
+              "framerI.QueueControlFrame",
+              "packetPacker.AppendPacket",
+              "packetPacker.MaybePackProbePacket",
+              "packetPacker.PackAckOnlyPacket",
+              "packetPacker.PackApplicationClose",
+              "packetPacker.PackCoalescedPacket",
+              "packetPacker.PackConnectionClose",
+              "packetPacker.PackMTUProbePacket",
+              "receiveStream.CancelRead",
+              "receiveStream.CloseRemote",
+              "receiveStream.Read",
+              "sendStream.CancelWrite",
+              "streamsMap.AcceptStream",
+              "streamsMap.AcceptUniStream",
+              "streamsMap.DeleteStream",
+              "streamsMap.HandleMaxStreamsFrame",
+              "streamsMap.OpenStream",
+              "streamsMap.OpenStreamSync",
+              "streamsMap.OpenUniStream",
+              "streamsMap.OpenUniStreamSync",
+              "streamsMap.UpdateLimits",
+              "windowUpdateQueue.QueueAll"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management"
+    }
+  ],
+  "credits": [
+    {
+      "name": "marten-seemann"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2682"
+  }
+}
diff --git a/data/reports/GO-2024-2682.yaml b/data/reports/GO-2024-2682.yaml
@@ -0,0 +1,74 @@
+id: GO-2024-2682
+modules:
+    - module: github.com/quic-go/quic-go
+      versions:
+        - fixed: 0.42.0
+      vulnerable_at: 0.41.0
+      packages:
+        - package: github.com/quic-go/quic-go
+          symbols:
+            - framerI.QueueControlFrame
+            - connection.run
+          derived_symbols:
+            - Dial
+            - DialAddr
+            - DialAddrEarly
+            - DialEarly
+            - Listen
+            - ListenAddr
+            - ListenAddrEarly
+            - ListenEarly
+            - Transport.Dial
+            - Transport.DialEarly
+            - Transport.Listen
+            - Transport.ListenEarly
+            - connIDGenerator.Retire
+            - connIDGenerator.SetMaxActiveConnIDs
+            - connIDManager.Add
+            - connIDManager.Get
+            - connection.AcceptStream
+            - connection.AcceptUniStream
+            - connection.OpenStream
+            - connection.OpenStreamSync
+            - connection.OpenUniStream
+            - connection.OpenUniStreamSync
+            - framerI.AppendStreamFrames
+            - packetPacker.AppendPacket
+            - packetPacker.MaybePackProbePacket
+            - packetPacker.PackAckOnlyPacket
+            - packetPacker.PackApplicationClose
+            - packetPacker.PackCoalescedPacket
+            - packetPacker.PackConnectionClose
+            - packetPacker.PackMTUProbePacket
+            - receiveStream.CancelRead
+            - receiveStream.CloseRemote
+            - receiveStream.Read
+            - sendStream.CancelWrite
+            - streamsMap.AcceptStream
+            - streamsMap.AcceptUniStream
+            - streamsMap.DeleteStream
+            - streamsMap.HandleMaxStreamsFrame
+            - streamsMap.OpenStream
+            - streamsMap.OpenStreamSync
+            - streamsMap.OpenUniStream
+            - streamsMap.OpenUniStreamSync
+            - streamsMap.UpdateLimits
+            - windowUpdateQueue.QueueAll
+summary: Denial of service via connection starvation in github.com/quic-go/quic-go
+description: |-
+    An attacker can cause its peer to run out of memory by sending a large number of
+    NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is
+    supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame.
+    The attacker can prevent the receiver from sending out (the vast majority of)
+    these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by
+    selectively acknowledging received packets) and by manipulating the peer's RTT
+    estimate.
+cves:
+    - CVE-2024-22189
+ghsas:
+    - GHSA-c33x-xqrf-c478
+credits:
+    - marten-seemann
+references:
+    - fix: https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
+    - web: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
