- Reported
-
- Issued
-
- Package
-
tokio-rustls
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#tls
#ssl
#DoS
- Aliases
-
- References
-
- CVSS Score
- 7.5
HIGH
- CVSS Details
-
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality Impact
- None
- Integrity Impact
- None
- Availability Impact
- High
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Patched
-
>=0.12.3, <0.13.0>=0.13.1
- Unaffected
-
Description
tokio-rustls does not call process_new_packets immediately after read,
so the expected termination condition wants_read always returns true.
As long as new incoming data arrives faster than it is processed
and the reader does not return pending, data will be buffered.
This may cause DoS.
Advisory available under CC0-1.0
license.