HistoryEditJSON (OSV)

RUSTSEC-2020-0019

tokio-rustls reads may cause excessive memory usage

Reported
Issued
Package
tokio-rustls (crates.io)
Type
Vulnerability
Categories
Keywords
#tls #ssl #DoS
Aliases
References
CVSS Score
7.5 HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=0.12.3, <0.13.0
  • >=0.13.1
Unaffected
  • <0.12

Description

tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered.

This may cause DoS.

Advisory available under CC0-1.0 license.