CVE-2023-49295: 
CBL Mariner vulnerability analysis and mitigation

CVE-2023-49295 affects quic-go, an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. The vulnerability was disclosed on January 10, 2024, and affects versions up to 0.37.6, 0.38.1, 0.39.3, and 0.40.0. The issue has been patched in versions 0.37.7, 0.38.2, 0.39.4, and 0.40.1 (GitHub Advisory).

The vulnerability allows an attacker to cause memory exhaustion in the target system by exploiting the path validation mechanism. The attack involves sending a large number of PATH_CHALLENGE frames, which require the receiver to respond with PATH_RESPONSE frames. The attacker can prevent the receiver from sending out most of these PATH_RESPONSE frames by manipulating the peer's congestion window through selective packet acknowledgment and RTT estimate manipulation (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The successful exploitation of this vulnerability can lead to memory exhaustion on the target system, potentially causing service disruption. The attack specifically impacts the availability of the system while not affecting confidentiality or integrity (NVD).

The vulnerability has been fixed in quic-go versions 0.37.7, 0.38.2, 0.39.4, and 0.40.1. Users are strongly advised to upgrade to these patched versions as there are no alternative mitigations available (GitHub Advisory).

The vulnerability has been acknowledged and addressed by various downstream projects. For example, Fedora has released security updates for affected packages in Fedora 38 and 39 to address this vulnerability (Fedora Update).