RUSTSEC-2020-0043: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #1595

github-actions · 2020-09-26T00:14:36Z

Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory

Details
Package	`ws`
Version	`0.9.1`
URL	housleyjk/ws-rs#291
Date	2020-09-25

Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.

This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.

The flaw was corrected in the parity-ws fork (>0.10.0) by disconnecting a client when the buffer runs full.

See advisory page for additional details.

The text was updated successfully, but these errors were encountered:

tmpolaczyk · 2020-09-28T08:36:14Z

Using cargo tree:

ws v0.9.1 is a dependency of jsonrpc-ws-server v14.0.6, which is a dependency of witnet_net

Updating jsonrpc-ws-server to the latest version should probably fix.

tmpolaczyk mentioned this issue Oct 1, 2020

chore: update jsonrpc-ws-server dependency #1609

Merged

tmpolaczyk closed this as completed in #1609 Oct 16, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RUSTSEC-2020-0043: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #1595

RUSTSEC-2020-0043: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #1595

github-actions bot commented Sep 26, 2020

tmpolaczyk commented Sep 28, 2020

RUSTSEC-2020-0043: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #1595

RUSTSEC-2020-0043: Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #1595

Comments

github-actions bot commented Sep 26, 2020

tmpolaczyk commented Sep 28, 2020