Allocation of Resources Without Limits or Throttling

CVE-2023-39322

High

7.5/10

Summary

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

Advisory Timeline

Published Sep 08, 2023

Allocation of Resources Without Limits or Throttling

CVE-2023-39322

Summary

CWE-770 - Allocation of Resources Without Limits or Throttling

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS