RUSTSEC-2020-0043

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2020-0043

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0043.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2020-0043

Aliases

Published

2020-09-25T12:00:00Z

Modified

2023-11-08T04:03:38.052797Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory

Details

Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.

This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.

The flaw was corrected in the parity-ws fork (>=0.10.0) by disconnecting a client when the buffer runs full.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / ws

Package

Name: ws; View open source insights on deps.dev
Purl: pkg:cargo/ws

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}