Vulnerability DatabaseCVE-2023-43669
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-43669
September 21, 2023
The Tungstenite crate before 0.20.1 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
Affected Packages
tungstenite (RUST):
Affected version(s) >=0.1.0 <0.20.1
Fix Suggestion:
Update to version 0.20.1
Related Resources (23)
https://crates.io/crates/tungstenite/versions
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D/
https://nvd.nist.gov/vuln/detail/CVE-2023-43669
https://github.com/snapview/tungstenite-rs/commit/8b3ecd3cc0008145ab4bc8d0657c39d09db8c7e2
https://cwe.mitre.org/data/definitions/407.html
https://bugzilla.redhat.com/show_bug.cgi?id=2240110
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D
https://rustsec.org/advisories/RUSTSEC-2023-0065.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK
https://security-tracker.debian.org/tracker/CVE-2023-43669
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM
https://github.com/snapview/tungstenite-rs
https://bugzilla.suse.com/show_bug.cgi?id=1215563
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TT7SF6CQ5VHAGFLWNXY64NFSW4WIWE7D
https://github.com/snapview/tungstenite-rs/issues/376
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R77EUWPZVP5WSMNXUXUDNHR7G7OI5NGM
https://crates.io/crates/tungstenite
https://github.com/github/advisory-database/pull/2752
https://github.com/advisories/GHSA-9mcr-873m-xcxp
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THK6G6CD4VW6RCROWUV2C4HSINKK3XAK
https://github.com/snapview/tungstenite-rs/pull/379
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400
EPSS
Base Score:
3.22