Upstream information

CVE-2024-47609 at MITRE

Description

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  CNA (CISA-ADP)
Base Score 0
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact None
CVSSv3 Version 3.1
CVSS v4 Scores
  CNA (GitHub)
Base Score 6.9
Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User Interaction None
Vulnerable System Confidentiality Impact None
Vulnerable System Integrity Impact None
Vulnerable System Availability Impact Low
Subsequent System Confidentiality Impact None
Subsequent System Integrity Impact None
Subsequent System Availability Impact None
CVSSv4 Version 4.0
No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • cargo-audit-advisory-db >= 20241030-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14440


SUSE Timeline for this CVE

CVE page created: Wed Oct 2 00:00:17 2024
CVE page last modified: Thu Dec 12 17:58:15 2024