CVE-2020-35875 – tokio-rustls

Package

Manager: cargo
Name: tokio-rustls
Vulnerable Version: >=0.12.0 <0.12.3 || >=0.13.0 <0.13.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00334 pctl0.5564

Details

Excessive memory usage in tokio-rustls tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered. This may cause DoS.

Metadata

Created: 2021-08-25T20:46:54Z
Modified: 2023-06-13T21:56:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2jfv-g3fh-xq3v/GHSA-2jfv-g3fh-xq3v.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-2jfv-g3fh-xq3v
Finding: F067
Auto approve: 1