{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6180", "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "state": "PUBLISHED", "assignerShortName": "cloudflare", "dateReserved": "2023-11-16T19:15:23.367Z", "datePublished": "2023-12-05T15:02:40.007Z", "dateUpdated": "2024-08-02T08:21:17.825Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/cloudflare/boring/tree/master/tokio-boring", "defaultStatus": "unaffected", "modules": ["toki-boring"], "packageName": "boring", "product": "tokio-boring", "vendor": "Cloudflare", "versions": [{"lessThanOrEqual": "4.1.0", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Eric Rosenberg"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.</span><br>"}], "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}], "impacts": [{"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}, {"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513", "shortName": "cloudflare", "dateUpdated": "2023-12-05T15:02:40.007Z"}, "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "source": {"discovery": "EXTERNAL"}, "title": "Resource exhaustion via memory leak in tokio-boring", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.825Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:boring:4.0.0:*:*:*:*:rust:*:*", "matchCriteriaId": "FE7E647F-7BD0-4C49-BF61-E39D8B8B318D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"}, {"lang": "es", "value": "La librer\u00eda tokio-boring en la versi\u00f3n 4.0.0 se ve afectada por un problema de p\u00e9rdida de memoria que puede provocar un consumo excesivo de recursos y una posible DoS por agotamiento de los recursos. La funci\u00f3n set_ex_data utilizada por la librer\u00eda no desasign\u00f3 la memoria utilizada por los datos preexistentes en la memoria cada vez que se complet\u00f3 una conexi\u00f3n TLS, lo que provoc\u00f3 que el programa consumiera m\u00e1s recursos con cada nueva conexi\u00f3n."}], "id": "CVE-2023-6180", "lastModified": "2024-11-21T08:43:18.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@cloudflare.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-05T15:15:08.703", "references": [{"source": "cna@cloudflare.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"}], "sourceIdentifier": "cna@cloudflare.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}], "source": "cna@cloudflare.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}