Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJqZnYtZzNmaC14cTN2
Excessive memory usage in tokio-rustls
tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS.
Permalink: https://github.com/advisories/GHSA-2jfv-g3fh-xq3vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJqZnYtZzNmaC14cTN2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-2jfv-g3fh-xq3v, CVE-2020-35875
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35875
- https://github.com/tokio-rs/tls/pull/14
- https://rustsec.org/advisories/RUSTSEC-2020-0019.html
- https://github.com/advisories/GHSA-2jfv-g3fh-xq3v
Blast Radius: 31.3
Affected Packages
cargo:tokio-rustls
Dependent packages: 484Dependent repositories: 14,927
Downloads: 149,812,192 total
Affected Version Ranges: >= 0.13.0, < 0.13.1, >= 0.12.0, < 0.12.3
Fixed in: 0.13.1, 0.12.3
All affected versions: 0.12.0, 0.12.1, 0.12.2, 0.13.0
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.12.3, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.23.4, 0.24.0, 0.24.1, 0.25.0, 0.26.0