CVE-2023-39321: 
Grafana vulnerability analysis and mitigation

CVE-2023-39321 is a vulnerability discovered in Go programming language that affects version 1.21.0-0 before 1.21.1. The vulnerability was disclosed on September 8, 2023, and involves the processing of incomplete post-handshake messages for QUIC connections that can trigger a panic in the system (NVD, Go Issue).

The vulnerability occurs when QUICConn.HandleData processes an incomplete post-handshake message for a QUIC connection. The size check implementation is incorrect, which can lead to passing along a partial message, triggering a panic when handlePostHandshakeMessage attempts to read the remainder of the message. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition through system panic. The vulnerability affects the availability of the system while having no direct impact on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in Go version 1.21.1. Users are advised to upgrade to this version or later to address the issue. The fix was implemented through a patch that corrects the message size checking mechanism in the QUICConn.HandleData function (Go Announcement).

The vulnerability was initially reported by Marten Seemann. While this would typically be considered a PRIVATE track vulnerability, due to the API being new and the only known user (quic-go) having already released a workaround in a patch release, it was classified as a PUBLIC track issue (Go Issue).