Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-47609

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-01 Oct, 2024 | 20:13
Updated At-21 Nov, 2024 | 16:56
Rejected At-
Credits

Remotely exploitable DoS in Tonic `<=v0.12.2`

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:01 Oct, 2024 | 20:13
Updated At:21 Nov, 2024 | 16:56
Rejected At:
▼CVE Numbering Authority (CNA)
Remotely exploitable DoS in Tonic `<=v0.12.2`

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

Affected Products
Vendor
hyperium
Product
tonic
Versions
Affected
  • >= 0.12.2, < 0.12.3
Problem Types
TypeCWE IDDescription
CWECWE-755CWE-755: Improper Handling of Exceptional Conditions
Type: CWE
CWE ID: CWE-755
Description: CWE-755: Improper Handling of Exceptional Conditions
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Green
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Green
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qv
x_refsource_CONFIRM
https://github.com/hyperium/tonic/issues/1897
x_refsource_MISC
https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48
x_refsource_MISC
Hyperlink: https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qv
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/hyperium/tonic/issues/1897
Resource:
x_refsource_MISC
Hyperlink: https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
hyperium
Product
tonic
CPEs
  • cpe:2.3:a:hyperium:tonic:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 0.12.2 (custom)
  • From 0 through 0.12.3 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:01 Oct, 2024 | 21:15
Updated At:04 Oct, 2024 | 13:50

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Secondary3.10.0NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Type: Secondary
Version: 3.1
Base score: 0.0
Base severity: NONE
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-755Primarysecurity-advisories@github.com
CWE ID: CWE-755
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48security-advisories@github.com
N/A
https://github.com/hyperium/tonic/issues/1897security-advisories@github.com
N/A
https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qvsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/hyperium/tonic/commit/a4472a86f3290e60c7c01348b7e6a8164d6e7e48
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/hyperium/tonic/issues/1897
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/hyperium/tonic/security/advisories/GHSA-4jwc-w2hc-78qv
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found