CVE-2024-1765 (GCVE-0-2024-1765)
Vulnerability from cvelistv5
Published
2024-03-12 18:04
Modified
2024-08-01 18:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.
A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.
Exploitation was possible for the duration of the connection which could be extended by the attacker.
quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Version: 0.15.0 ≤ <0.19.1 Version: 0.20.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:44:18.732134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:25.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:22.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "quiche",
"platforms": [
"Rust"
],
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"lessThanOrEqual": "\u003c0.19.1",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
},
{
"lessThan": "\u003c0.20.1",
"status": "affected",
"version": "0.20.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marten Seeman (@marten-seemann)"
}
],
"datePublic": "2024-03-12T18:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003erunning quiche server or client\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e.\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\u003cbr\u003eExploitation was possible for the duration of the connection which could be extended by the attacker.\u0026nbsp;\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003equiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.\nA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\nExploitation was possible for the duration of the connection which could be extended by the attacker.\u00a0\nquiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T18:04:54.915Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2024-1765",
"datePublished": "2024-03-12T18:04:54.915Z",
"dateReserved": "2024-02-22T16:04:47.125Z",
"dateUpdated": "2024-08-01T18:48:22.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:48:22.108Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1765\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-13T14:44:18.732134Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:17.322Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marten Seeman (@marten-seemann)\"}], \"impacts\": [{\"capecId\": \"CAPEC-130\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-130 Excessive Allocation\"}]}, {\"capecId\": \"CAPEC-272\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-272 Protocol Manipulation\"}]}, {\"capecId\": \"CAPEC-125\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-125 Flooding\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Cloudflare\", \"product\": \"quiche\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.15.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"\u003c0.19.1\"}, {\"status\": \"affected\", \"version\": \"0.20.0\", \"lessThan\": \"\u003c0.20.1\", \"versionType\": \"semver\"}], \"platforms\": [\"Rust\"], \"packageName\": \"quiche\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-03-12T18:01:00.000Z\", \"references\": [{\"url\": \"https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.\\nA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\\nExploitation was possible for the duration of the connection which could be extended by the attacker.\\u00a0\\nquiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eCloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system \u003c/span\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003erunning quiche server or client\u003c/span\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003e.\u003cbr\u003e\u003c/span\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003eA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\u003cbr\u003eExploitation was possible for the duration of the connection which could be extended by the attacker.\u0026nbsp;\u003cbr\u003e\u003c/span\u003e\u003cspan style=\\\"background-color: transparent;\\\"\u003equiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\u003c/span\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770 Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"shortName\": \"cloudflare\", \"dateUpdated\": \"2024-03-12T18:04:54.915Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1765\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T18:48:22.108Z\", \"dateReserved\": \"2024-02-22T16:04:47.125Z\", \"assignerOrgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"datePublished\": \"2024-03-12T18:04:54.915Z\", \"assignerShortName\": \"cloudflare\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…