Lucene search

[email protected]NVD:CVE-2024-28854

HistoryMar 15, 2024 - 7:15 p.m.

CVE-2024-28854

2024-03-1519:15:07

CWE-400

[email protected]

web.nvd.nist.gov

cve-2024-28854

rust lang

tls-listener

dos

tcpstream

tlslistener

upgrade

mitigation

builder.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.5%

JSON

tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 TcpStreams a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using TlsListener::new() vulnerable to a slow-loris DoS attack. This impacts any publicly accessible service using the default configuration of tls-listener in versions prior to 0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this by passing a large value, such as usize::MAX as the parameter to Builder::max_handshakes.

References

en.wikipedia.org/wiki/Slowloris_(computer_security)

github.com/tmccombs/tls-listener/commit/d5a7655d6ea9e53ab57c3013092c5576da964bc4

github.com/tmccombs/tls-listener/security/advisories/GHSA-2qph-qpvm-2qf7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-28854

github1 osv3 cvelist1 cve1