CVE-2023-6180

The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*

History

12 Dec 2023, 15:49

Type	Values Removed	Values Added
First Time		Cloudflare boring Cloudflare
References	~~() https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4 -~~	() https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4 - Vendor Advisory
CWE		CWE-401
CPE		cpe:2.3:a:cloudflare:boring:4.0.0:::::rust::

05 Dec 2023, 15:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-05 15:15

Updated : 2023-12-12 15:49

NVD link : CVE-2023-6180

Mitre link : CVE-2023-6180

CVE.ORG link : CVE-2023-6180

JSON object : View

Products Affected

cloudflare

boring

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

CWE-400

Uncontrolled Resource Consumption

CWE-404

Improper Resource Shutdown or Release

{"id": "CVE-2023-6180", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cna@cloudflare.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-12-05T15:15:08.703", "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4", "tags": ["Vendor Advisory"], "source": "cna@cloudflare.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}, {"type": "Secondary", "source": "cna@cloudflare.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}]}], "descriptions": [{"lang": "en", "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}, {"lang": "es", "value": "La librer\u00eda tokio-boring en la versi\u00f3n 4.0.0 se ve afectada por un problema de p\u00e9rdida de memoria que puede provocar un consumo excesivo de recursos y una posible DoS por agotamiento de los recursos. La funci\u00f3n set_ex_data utilizada por la librer\u00eda no desasign\u00f3 la memoria utilizada por los datos preexistentes en la memoria cada vez que se complet\u00f3 una conexi\u00f3n TLS, lo que provoc\u00f3 que el programa consumiera m\u00e1s recursos con cada nueva conexi\u00f3n."}], "lastModified": "2023-12-12T15:49:29.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "FE7E647F-7BD0-4C49-BF61-E39D8B8B318D"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cloudflare.com"}