What is the severity of CVE-2023-6193?

CVE-2023-6193 has a high severity due to its potential to cause excessive resource consumption.

How do I fix CVE-2023-6193?

To fix CVE-2023-6193, upgrade quiche to version 0.19.1 or later.

What versions are affected by CVE-2023-6193?

CVE-2023-6193 affects quiche versions 0.15.0 through 0.19.0.

What kind of vulnerability is CVE-2023-6193?

CVE-2023-6193 is a vulnerability related to unbounded queuing of path validation messages.

Who is impacted by CVE-2023-6193?

Users of quiche versions 0.15.0 to 0.19.0, particularly those using Cloudflare's implementation, are impacted by CVE-2023-6193.

Vulnerability/
CVE-2023-6193

medium

5.3

CWE

400

EPSS

0.072%

12/12/2023

13/12/2023

2/8/2024

CVE-2023-6193: Unbounded queuing of path validation messages in cloudflare-quiche

First published: Tue Dec 12 2023(Updated: )

### Impact quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation ([RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue. ### Patches Quiche versions greater than 0.19.0 address this problem. ### References [CVE-2023-6193](https://www.cve.org/CVERecord?id=CVE-2023-6193) [RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)

Credit: cna@cloudflare.com cna@cloudflare.com

Affected Software	Affected Version	How to fix
rust/quiche	>=0.15.0<0.19.1	0.19.1
Cloudflare Quiche	>=0.15.0<=0.19.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-6193?
CVE-2023-6193 has a high severity due to its potential to cause excessive resource consumption.
How do I fix CVE-2023-6193?
To fix CVE-2023-6193, upgrade quiche to version 0.19.1 or later.
What versions are affected by CVE-2023-6193?
CVE-2023-6193 affects quiche versions 0.15.0 through 0.19.0.
What kind of vulnerability is CVE-2023-6193?
CVE-2023-6193 is a vulnerability related to unbounded queuing of path validation messages.
Who is impacted by CVE-2023-6193?
Users of quiche versions 0.15.0 to 0.19.0, particularly those using Cloudflare's implementation, are impacted by CVE-2023-6193.

collector/github-advisory-latest
alias/GHSA-w3vp-jw9m-f9pm
alias/CVE-2023-6193
collector/nvd-api
collector/nvd-cve
collector/github-advisory
agent/author
agent/type
agent/first-publish-date
agent/softwarecombine
agent/title
agent/weakness
agent/severity
agent/references
agent/event
collector/epss-latest
source/FIRST
agent/description
agent/epss
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
agent/tags
agent/source
package-manager/rust
vendor/cloudflare
canonical/cloudflare quiche
version/cloudflare quiche/0.15.0
version/cloudflare quiche/0.19.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.