RUSTSEC-2020-0043

Source
https://rustsec.org/advisories/RUSTSEC-2020-0043
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0043.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2020-0043
Aliases
Published
2020-09-25T12:00:00Z
Modified
2023-11-08T04:03:38.052797Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
Details

Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.

This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.

The flaw was corrected in the parity-ws fork (>=0.10.0) by disconnecting a client when the buffer runs full.

Database specific
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / ws

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}