CVE-2023-43669

EUVD-2023-2481
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
snapviewtungstenite
𝑥
≤ 0.20.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rust-tungstenite
sid
0.24.0-3
fixed
trixie
0.24.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-tungstenite
bionic
ignored
focal
dne
jammy
dne
lunar
dne
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
dne
References
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
https://bugzilla.suse.com/show_bug.cgi?id=1215563
https://crates.io/crates/tungstenite/versions
https://cwe.mitre.org/data/definitions/407.html
https://github.com/advisories/GHSA-9mcr-873m-xcxp
https://github.com/github/advisory-database/pull/2752
https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
https://github.com/snapview/tungstenite-rs/issues/376
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
https://security-tracker.debian.org/tracker/CVE-2023-43669
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
https://bugzilla.suse.com/show_bug.cgi?id=1215563
https://crates.io/crates/tungstenite/versions
https://cwe.mitre.org/data/definitions/407.html
https://github.com/advisories/GHSA-9mcr-873m-xcxp
https://github.com/github/advisory-database/pull/2752
https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
https://github.com/snapview/tungstenite-rs/issues/376
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
https://security-tracker.debian.org/tracker/CVE-2023-43669