Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Wed, 02 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Hyperium
Hyperium tonic
CPEs cpe:2.3:a:hyperium:tonic:*:*:*:*:*:*:*:*
Vendors & Products Hyperium
Hyperium tonic
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}


Wed, 02 Oct 2024 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


Tue, 01 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
Description Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.
Title Remotely exploitable DoS in Tonic `<=v0.12.2`
Weaknesses CWE-755
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Green'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-01T20:13:55.017Z

Updated: 2024-11-21T16:56:13.633Z

Reserved: 2024-09-27T20:37:22.120Z

Link: CVE-2024-47609

cve-icon Vulnrichment

Updated: 2024-10-02T13:14:25.218Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-01T21:15:08.400

Modified: 2024-11-21T17:15:17.250

Link: CVE-2024-47609

cve-icon Redhat

Severity : Low

Publid Date: 2024-10-01T20:13:55Z

Links: CVE-2024-47609 - Bugzilla