5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-1765

GHSA ID

GHSA-78wx-jg4j-5j6g

EPSS Score

0.74047%

CWE

CWE-400

Published

3/13/2024

Updated

3/13/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-1765

CVE-2024-1765: quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding

Impact

Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.

A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake. Exploitation was possible for the duration of the connection which could be extended by the attacker.

Patches

Quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-1765

CVE-2024-1765:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-1765

GHSA ID

GHSA-78wx-jg4j-5j6g

EPSS Score

0.74047%

CWE

CWE-400

Published

3/13/2024

Updated

3/13/2024

KEV Status

Technology

Rust

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
quiche	rust	< 0.19.2	0.19.2
quiche	rust	>= 0.20.0, < 0.20.1	0.20.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing bounds checking when handling CRYPTO frames. The patch adds a MAX_CRYPTO_STREAM_OFFSET check (1 << 16) in the CRYPTO frame processing logic. The diff shows this check was inserted in the Frame::Crypto handler within Connection implementation in lib.rs. Before the fix, the code would accept any offset value, enabling attackers to exhaust memory by sending overlapping/out-of-order CRYPTO frames with large offsets, forcing the system to buffer unreasonably large amounts of data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-1765: quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding

Impact

Patches

CVE-2024-1765:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.9

5.9

Basic Information

Basic Information

CVE-2024-1765: quiche vulnerable to unlimited resource allocation by QUIC CRYPTO frames flooding

Impact

Patches

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI