Vulnerability Details CVE-2023-43669
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.024
EPSS Ranking 84.4%
CVSS Severity
CVSS v3 Score 7.5
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2240110
- https://bugzilla.suse.com/show_bug.cgi?id=1215563
- https://crates.io/crates/tungstenite/versions
- https://cwe.mitre.org/data/definitions/407.html
- https://github.com/advisories/GHSA-9mcr-873m-xcxp
- https://github.com/github/advisory-database/pull/2752
- https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
- https://github.com/snapview/tungstenite-rs/issues/376
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
- https://security-tracker.debian.org/tracker/CVE-2023-43669
- https://bugzilla.redhat.com/show_bug.cgi?id=2240110
- https://bugzilla.suse.com/show_bug.cgi?id=1215563
- https://crates.io/crates/tungstenite/versions
- https://cwe.mitre.org/data/definitions/407.html
- https://github.com/advisories/GHSA-9mcr-873m-xcxp
- https://github.com/github/advisory-database/pull/2752
- https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
- https://github.com/snapview/tungstenite-rs/issues/376
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
- https://security-tracker.debian.org/tracker/CVE-2023-43669
Products affected by CVE-2023-43669
-
cpe:2.3:a:snapview:tungstenite:-
-
cpe:2.3:a:snapview:tungstenite:0.1.0
-
cpe:2.3:a:snapview:tungstenite:0.1.1
-
cpe:2.3:a:snapview:tungstenite:0.10.0
-
cpe:2.3:a:snapview:tungstenite:0.10.1
-
cpe:2.3:a:snapview:tungstenite:0.11.0
-
cpe:2.3:a:snapview:tungstenite:0.11.1
-
cpe:2.3:a:snapview:tungstenite:0.12.0
-
cpe:2.3:a:snapview:tungstenite:0.13.0
-
cpe:2.3:a:snapview:tungstenite:0.14.0
-
cpe:2.3:a:snapview:tungstenite:0.15.0
-
cpe:2.3:a:snapview:tungstenite:0.16.0
-
cpe:2.3:a:snapview:tungstenite:0.17.0
-
cpe:2.3:a:snapview:tungstenite:0.17.1
-
cpe:2.3:a:snapview:tungstenite:0.17.2
-
cpe:2.3:a:snapview:tungstenite:0.17.3
-
cpe:2.3:a:snapview:tungstenite:0.18.0
-
cpe:2.3:a:snapview:tungstenite:0.19.0
-
cpe:2.3:a:snapview:tungstenite:0.2.0
-
cpe:2.3:a:snapview:tungstenite:0.2.1
-
cpe:2.3:a:snapview:tungstenite:0.2.2
-
cpe:2.3:a:snapview:tungstenite:0.2.3
-
cpe:2.3:a:snapview:tungstenite:0.2.4
-
cpe:2.3:a:snapview:tungstenite:0.20.0
-
cpe:2.3:a:snapview:tungstenite:0.4.0
-
cpe:2.3:a:snapview:tungstenite:0.5.0
-
cpe:2.3:a:snapview:tungstenite:0.5.1
-
cpe:2.3:a:snapview:tungstenite:0.5.2
-
cpe:2.3:a:snapview:tungstenite:0.5.3
-
cpe:2.3:a:snapview:tungstenite:0.5.4
-
cpe:2.3:a:snapview:tungstenite:0.6.0
-
cpe:2.3:a:snapview:tungstenite:0.6.1
-
cpe:2.3:a:snapview:tungstenite:0.7.0
-
cpe:2.3:a:snapview:tungstenite:0.8.0
-
cpe:2.3:a:snapview:tungstenite:0.8.1
-
cpe:2.3:a:snapview:tungstenite:0.9.0
-
cpe:2.3:a:snapview:tungstenite:0.9.1
-
cpe:2.3:a:snapview:tungstenite:0.9.2
-
cpe:2.3:o:fedoraproject:fedora:37
-
cpe:2.3:o:fedoraproject:fedora:38
-
cpe:2.3:o:fedoraproject:fedora:39