GHSA-58j9-j2fj-v8f4

Suggest an improvement
Source
https://github.com/advisories/GHSA-58j9-j2fj-v8f4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-58j9-j2fj-v8f4/GHSA-58j9-j2fj-v8f4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-58j9-j2fj-v8f4
Published
2024-01-19T20:31:21Z
Modified
2024-01-19T20:31:21Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
SurrealDB vulnerable to Uncontrolled CPU Consumption via WebSocket Interface
Details

SurrealDB depends on the tungstenite and tokio-tungstenite crates used by the axum crate, which handles connections to the SurrealDB WebSocket interface. On versions before 0.20.1, the tungstenite crate presented an issue which allowed the parsing of HTTP headers during the client handshake to continuously consume high CPU when the headers were very long. All affected crates have been updated in SurrealDB version 1.1.0.

From the original advisory for CVE-2023-43669: "The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes)."

Impact

A remote unauthenticated attacker may cause a SurrealDB server that exposes its WebSocket interface to consume high CPU by sending an HTTP request with a very long header to the WebSocket interface, potentially leading to denial of service.

Patches

  • Version 1.1.0 and later are not affected by this issue.

Workarounds

Users unable to update may be able to limit access to the WebSocket interface (i.e. the /rpc endpoint) via reverse proxy if not in use or only used by a limited number of trusted clients. Alternatively, a reverse proxy may be used to strip or truncate request headers exceeding a reasonable length before reaching the SurrealDB server.

References

  • #2807
  • https://nvd.nist.gov/vuln/detail/CVE-2023-43669
  • https://rustsec.org/advisories/RUSTSEC-2023-0065.html
  • https://github.com/snapview/tungstenite-rs/issues/376
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-19T20:31:21Z"
}
References

Affected packages

crates.io / surrealdb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0