From b9195694411198767fdccec025ea90f8ef01882d Mon Sep 17 00:00:00 2001 From: Tatiana Bradley Date: Wed, 6 Sep 2023 18:17:59 -0400 Subject: [PATCH] data/reports: add GO-2023-2045.yaml Aliases: CVE-2023-39322 Updates golang/vulndb#2045 Change-Id: Ia87ee1ec604a0270f357536130e3abc022a84d0c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/526168 Reviewed-by: Damien Neil LUCI-TryBot-Result: Go LUCI Auto-Submit: Tatiana Bradley --- data/cve/v5/GO-2023-2045.json | 79 ++++++++++++++++++++++++++++++++++ data/osv/GO-2023-2045.json | 70 ++++++++++++++++++++++++++++++ data/reports/GO-2023-2045.yaml | 29 +++++++++++++ 3 files changed, 178 insertions(+) create mode 100644 data/cve/v5/GO-2023-2045.json create mode 100644 data/osv/GO-2023-2045.json create mode 100644 data/reports/GO-2023-2045.yaml diff --git a/data/cve/v5/GO-2023-2045.json b/data/cve/v5/GO-2023-2045.json new file mode 100644 index 00000000..d8ab7806 --- /dev/null +++ b/data/cve/v5/GO-2023-2045.json @@ -0,0 +1,79 @@ +{ + "dataType": "CVE_RECORD", + "dataVersion": "5.0", + "cveMetadata": { + "cveId": "CVE-2023-39322" + }, + "containers": { + "cna": { + "providerMetadata": { + "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" + }, + "title": "Memory exhaustion in QUIC connection handling in crypto/tls", + "descriptions": [ + { + "lang": "en", + "value": "QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size." + } + ], + "affected": [ + { + "vendor": "Go standard library", + "product": "crypto/tls", + "collectionURL": "https://pkg.go.dev", + "packageName": "crypto/tls", + "versions": [ + { + "version": "0", + "lessThan": "1.20.8", + "status": "affected", + "versionType": "semver" + }, + { + "version": "1.21.0-0", + "lessThan": "1.21.1", + "status": "affected", + "versionType": "semver" + } + ], + "programRoutines": [ + { + "name": "QUICConn.HandleData" + } + ], + "defaultStatus": "unaffected" + } + ], + "problemTypes": [ + { + "descriptions": [ + { + "lang": "en", + "description": "CWE-400: Uncontrolled Resource Consumption" + } + ] + } + ], + "references": [ + { + "url": "https://go.dev/issue/62266" + }, + { + "url": "https://go.dev/cl/523039" + }, + { + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + }, + { + "url": "https://pkg.go.dev/vuln/GO-2023-2045" + } + ], + "credits": [ + { + "lang": "en", + "value": "Marten Seemann" + } + ] + } + } +} \ No newline at end of file diff --git a/data/osv/GO-2023-2045.json b/data/osv/GO-2023-2045.json new file mode 100644 index 00000000..24107ef8 --- /dev/null +++ b/data/osv/GO-2023-2045.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2023-2045", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "aliases": [ + "CVE-2023-39322" + ], + "summary": "Memory exhaustion in QUIC connection handling in crypto/tls", + "details": "QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth.\n\nWith fix, connections now consistently reject messages larger than 65KiB in size.", + "affected": [ + { + "package": { + "name": "stdlib", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.20.8" + }, + { + "introduced": "1.21.0-0" + }, + { + "fixed": "1.21.1" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "crypto/tls", + "symbols": [ + "QUICConn.HandleData" + ] + } + ] + } + } + ], + "references": [ + { + "type": "REPORT", + "url": "https://go.dev/issue/62266" + }, + { + "type": "FIX", + "url": "https://go.dev/cl/523039" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" + } + ], + "credits": [ + { + "name": "Marten Seemann" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2023-2045" + } +} \ No newline at end of file diff --git a/data/reports/GO-2023-2045.yaml b/data/reports/GO-2023-2045.yaml new file mode 100644 index 00000000..d605c16d --- /dev/null +++ b/data/reports/GO-2023-2045.yaml @@ -0,0 +1,29 @@ +id: GO-2023-2045 +modules: + - module: std + versions: + - fixed: 1.20.8 + - introduced: 1.21.0-0 + fixed: 1.21.1 + vulnerable_at: 1.21.0 + packages: + - package: crypto/tls + symbols: + - QUICConn.HandleData +summary: Memory exhaustion in QUIC connection handling in crypto/tls +description: |- + QUIC connections do not set an upper bound on the amount of data buffered when + reading post-handshake messages, allowing a malicious QUIC connection to cause + unbounded memory growth. + + With fix, connections now consistently reject messages larger than 65KiB in + size. +credits: + - Marten Seemann +references: + - report: https://go.dev/issue/62266 + - fix: https://go.dev/cl/523039 + - web: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ +cve_metadata: + id: CVE-2023-39322 + cwe: 'CWE-400: Uncontrolled Resource Consumption'