CVE-2023-6193: 
Rust vulnerability analysis and mitigation

CVE-2023-6193 affects quiche versions 0.15.0 through 0.19.0, discovered in December 2023. The vulnerability involves unbounded queuing of path validation messages in the QUIC protocol implementation, which could lead to excessive resource consumption. The affected software, quiche, is a QUIC transport protocol implementation (NVD CVE, GitHub Advisory).

The vulnerability stems from the QUIC path validation mechanism (RFC 9000 Section 8.2) where the recipient of a PATH_CHALLENGE frame must respond by sending a PATH_RESPONSE. The issue occurs when PATH_CHALLENGE frames are received at a faster rate than PATH_RESPONSE frames can be sent, leading to unbounded storage of path validation data. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD CVE).

An unauthenticated remote attacker can exploit this vulnerability to cause excessive resource consumption on the target system. The attacker can achieve this by sending PATH_CHALLENGE frames and manipulating the connection, for example by restricting the peer's congestion window size, causing PATH_RESPONSE frames to be sent at a slower rate than they are received (GitHub Advisory).

The vulnerability has been fixed in versions greater than 0.19.0 of quiche. Users should upgrade to the latest version to address this security issue (GitHub Advisory).