RUSTSEC-2020-0019

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2020-0019

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0019.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2020-0019

Aliases

CVE-2020-35875
GHSA-2jfv-g3fh-xq3v

Published

2020-05-19T12:00:00Z

Modified

2023-11-08T04:03:36.949759Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

tokio-rustls reads may cause excessive memory usage

Details

tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered.

This may cause DoS.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / tokio-rustls

Package

Name: tokio-rustls; View open source insights on deps.dev
Purl: pkg:cargo/tokio-rustls

Affected ranges

Type: SEMVER
Events: Introduced

0.12.0

Fixed

0.12.3

Introduced

0.13.0

Fixed

0.13.1

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}