CVE-2022-35922
Memory allocation based on untrusted length in rust-websocket
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rust-WebSocket is a WebSocket (RFC6455) library written in Rust. In versions prior to 0.26.5 untrusted websocket connections can cause an out-of-memory (OOM) process abort in a client or a server. The root cause of the issue is during dataframe parsing. Affected versions would allocate a buffer based on the declared dataframe size, which may come from an untrusted source. When `Vec::with_capacity` fails to allocate, the default Rust allocator will abort the current process, killing all threads. This affects only sync (non-Tokio) implementation. Async version also does not limit memory, but does not use `with_capacity`, so DoS can happen only when bytes for oversized dataframe or message actually got delivered by the attacker. The crashes are fixed in version 0.26.5 by imposing default dataframe size limits. Affected users are advised to update to this version. Users unable to upgrade are advised to filter websocket traffic externally or to only accept trusted traffic.
Rust-WebSocket es una biblioteca WebSocket (RFC6455) escrita en Rust. En versiones anteriores a la 0.26.5, las conexiones de websocket que no son confiables pueden causar una interrupción del proceso por falta de memoria (OOM) en un cliente o un servidor. La causa del problema es durante el análisis de los marcos de datos. Las versiones afectadas asignan un búfer basado en el tamaño declarado del marco de datos, que puede provenir de una fuente no confiable. Cuando "Vec::with_capacity" falla en la asignación, el asignador por defecto de Rust abortará el proceso actual, matando todos los hilos. Esto afecta sólo a la implementación sync (no-Tokio). La versión asíncrona tampoco limita la memoria, pero no usa "with_capacity", por lo que el DoS puede ocurrir sólo cuando los bytes para el marco de datos o el mensaje sobredimensionados son realmente entregados por el atacante. Los bloqueos son corregidos en versión 0.26.5, al imponer límites de tamaño de dataframe por defecto. Es recomendado a usuarios afectados actualizar a esta versión. Es recomendado a usuarios que no puedan actualizar filtrar el tráfico de websocket externamente o que sólo acepten tráfico confiable
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-08-01 CVE Published
- 2024-03-22 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/websockets-rs/rust-websocket/security/advisories/GHSA-qrjv-rf5q-qpxc | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/websockets-rs/rust-websocket/commit/cbf6e9983e839d2ecad86de8cd1b3f20ed43390b | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rust-websocket Project Search vendor "Rust-websocket Project" | Rust-websocket Search vendor "Rust-websocket Project" for product "Rust-websocket" | < 0.26.5 Search vendor "Rust-websocket Project" for product "Rust-websocket" and version " < 0.26.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 36 Search vendor "Fedoraproject" for product "Fedora" and version "36" | - |
Affected
| ||||||