Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
quic-go has Client Crash Due to Premature HANDSHAKE_DONE Frame
Vulnerability Description
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
可达断言
Vulnerability Title
quic-go 安全漏洞
Vulnerability Description
quic-go是Lucas Clemente个人开发者的一种 QUIC 协议、RFC 9000协议在 Go 中的实现。 quic-go 0.49.0之前版本、0.54.1之前版本和0.55.0之前版本存在安全漏洞,该漏洞源于断言失败处理不当,可能导致拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A