SCA: security update for github.com/quic-go/quic-go (GHSA-px8v-pp82-rcvr)

medium Tenable Cloud Security Plugin ID 417765

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet
Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a
"message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU
claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC),
the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake,
thereby circumventing any TCP fallback that might be implemented on the application layer (for example,
many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). The attacker
needs to at least know the client's IP and port tuple to mount an attack. This vulnerability is fixed in
0.48.2. (CVE-2024-53259)

See Also

https://github.com/advisories/GHSA-px8v-pp82-rcvr

Plugin Details

Severity: Medium

ID: 417765

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.5

Vector: CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-53259

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6

Threat Score: 2.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/2/2024

Vulnerability Publication Date: 12/2/2024

Reference Information

CVE: CVE-2024-53259

cwe: CWE-345