CVE-2023-6180 - OpenCVE

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Cloudflare	Boring

Configuration 1 [-]

cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*

References

Link	Resource
https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-12-05T15:02:40.007Z

Updated: 2023-12-05T15:02:40.007Z

Reserved: 2023-11-16T19:15:23.367Z

Link: CVE-2023-6180

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-05T15:15:08.703

Modified: 2023-12-12T15:49:29.317

Link: CVE-2023-6180

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6180", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-11-16T19:15:23.367Z", "datePublished": "2023-12-05T15:02:40.007Z", "dateUpdated": "2023-12-05T15:02:40.007Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/cloudflare/boring/tree/master/tokio-boring", "defaultStatus": "unaffected", "modules": ["toki-boring"], "packageName": "boring", "product": "tokio-boring", "vendor": "Cloudflare", "versions": [{"lessThanOrEqual": "4.1.0", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Eric Rosenberg"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.</span><br>"}], "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-12-05T15:02:40.007Z"}, "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "source": {"discovery": "EXTERNAL"}, "title": "Resource exhaustion via memory leak in tokio-boring", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*", "matchCriteriaId": "FE7E647F-7BD0-4C49-BF61-E39D8B8B318D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}, {"lang": "es", "value": "La librer\u00eda tokio-boring en la versi\u00f3n 4.0.0 se ve afectada por un problema de p\u00e9rdida de memoria que puede provocar un consumo excesivo de recursos y una posible DoS por agotamiento de los recursos. La funci\u00f3n set_ex_data utilizada por la librer\u00eda no desasign\u00f3 la memoria utilizada por los datos preexistentes en la memoria cada vez que se complet\u00f3 una conexi\u00f3n TLS, lo que provoc\u00f3 que el programa consumiera m\u00e1s recursos con cada nueva conexi\u00f3n."}], "id": "CVE-2023-6180", "lastModified": "2023-12-12T15:49:29.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@cloudflare.com", "type": "Secondary"}]}, "published": "2023-12-05T15:15:08.703", "references": [{"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}], "source": "cna@cloudflare.com", "type": "Secondary"}]}