CVE-2022-30591
Last modified
CVE-2022-30591 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. EPSS estimates a 2.41% chance of exploitation in the next 30 days.
Description
quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Quic-Go Project | Quic-Go | <= 0.27.0 |
References
- https://github.com/lucas-clemente/quic-go/blob/84e03e59760ceee37359688871bb0688fcc4e98f/mtu_discoverer.goExploit, Third Party Advisory
- https://github.com/lucas-clemente/quic-go/blob/84e03e59760ceee37359688871bb0688fcc4e98f/mtu_discoverer.goExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-30591?
How severe is CVE-2022-30591?
How do I fix CVE-2022-30591?
Are you affected by CVE-2022-30591?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST