CVE-2023-43669

The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
VendorProductVersion
snapviewtungstenite
𝑥
≤ 0.20.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rust-tungstenite
trixie
0.24.0-2
fixed
sid
0.24.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rust-tungstenite
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
dne
jammy
dne
focal
dne
bionic
ignored
xenial
dne
trusty
ignored
References
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
https://bugzilla.suse.com/show_bug.cgi?id=1215563
https://crates.io/crates/tungstenite/versions
https://cwe.mitre.org/data/definitions/407.html
https://github.com/advisories/GHSA-9mcr-873m-xcxp
https://github.com/github/advisory-database/pull/2752
https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
https://github.com/snapview/tungstenite-rs/issues/376
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
https://security-tracker.debian.org/tracker/CVE-2023-43669
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
https://bugzilla.suse.com/show_bug.cgi?id=1215563
https://crates.io/crates/tungstenite/versions
https://cwe.mitre.org/data/definitions/407.html
https://github.com/advisories/GHSA-9mcr-873m-xcxp
https://github.com/github/advisory-database/pull/2752
https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
https://github.com/snapview/tungstenite-rs/issues/376
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
https://security-tracker.debian.org/tracker/CVE-2023-43669