CVE-2023-6180 - Vulnerability Details - OpenCVE

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudflare Subscribe	Boring Subscribe

Configuration 1 [-]

cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-3262	The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.
Github GHSA	GHSA-pjrj-h4fg-6gm4	tokio-boring vulnerable to resource exhaustion via memory leak

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cloudflare

Published: 2023-12-05T15:02:40.007Z

Updated: 2024-08-02T08:21:17.825Z

Reserved: 2023-11-16T19:15:23.367Z

Link: CVE-2023-6180

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-05T15:15:08.703

Modified: 2024-11-21T08:43:18.253

Link: CVE-2023-6180

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6180", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-11-16T19:15:23.367Z", "datePublished": "2023-12-05T15:02:40.007Z", "dateUpdated": "2024-08-02T08:21:17.825Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/cloudflare/boring/tree/master/tokio-boring", "defaultStatus": "unaffected", "modules": ["toki-boring"], "packageName": "boring", "product": "tokio-boring", "vendor": "Cloudflare", "versions": [{"lessThanOrEqual": "4.1.0", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Eric Rosenberg"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.</span><br>"}], "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-12-05T15:02:40.007Z"}, "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "source": {"discovery": "EXTERNAL"}, "title": "Resource exhaustion via memory leak in tokio-boring", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.825Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*", "matchCriteriaId": "FE7E647F-7BD0-4C49-BF61-E39D8B8B318D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}, {"lang": "es", "value": "La librer\u00eda tokio-boring en la versi\u00f3n 4.0.0 se ve afectada por un problema de p\u00e9rdida de memoria que puede provocar un consumo excesivo de recursos y una posible DoS por agotamiento de los recursos. La funci\u00f3n set_ex_data utilizada por la librer\u00eda no desasign\u00f3 la memoria utilizada por los datos preexistentes en la memoria cada vez que se complet\u00f3 una conexi\u00f3n TLS, lo que provoc\u00f3 que el programa consumiera m\u00e1s recursos con cada nueva conexi\u00f3n."}], "id": "CVE-2023-6180", "lastModified": "2024-11-21T08:43:18.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@cloudflare.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T15:15:08.703", "references": [{"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}], "source": "cna@cloudflare.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}