Memory Leak in tokio-boring 4.0.0 Leads to DoS via Resource Exhaustion
CVE-2023-6180 Published on December 5, 2023

Resource exhaustion via memory leak in tokio-boring
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.

Github Repository NVD

Vulnerability Analysis

CVE-2023-6180 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Types

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2023-6180 has been classified to as a Resource Exhaustion vulnerability or weakness.

Improper Resource Shutdown or Release

The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.


Products Associated with CVE-2023-6180

Want to know whenever a new CVE is published for CloudFlare Boring? stack.watch will email you.

CloudFlare Boring
 

Affected Versions

Cloudflare tokio-boring:

Exploit Probability

EPSS
0.62%
Percentile
44.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.