PT-2024-32670 · Tonic · Tonic
Luciofranco
·
Published
2024-10-01
·
Updated
2024-10-30
·
CVE-2024-47609
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green |
Name of the Vulnerable Software and Affected Versions
Tonic versions 0.12.0 through 0.12.2
Description
The issue is a remote DoS attack that can cause the server to exit cleanly when using
tonic::transport::Server and accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly, leading to the accept loop exiting.Recommendations
For versions 0.12.0 through 0.12.2, upgrade to tonic 0.12.3 or above to resolve the issue.
As a temporary workaround for affected versions, consider implementing a custom accept loop to minimize the risk of exploitation.
Exploit
Fix
Improper Handling of Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tonic