CVE-2024-47609 MEDIUM

CVE-2024-47609: Remotely exploitable DoS in Tonic `<=v0.12.2`

Vendor Hyperium
Product tonic
Weakness CWE-755
Published October 1, 2024
Last update November 21, 2024

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Green

What the vulnerability does

01Description

Tonic is a native gRPC client & server implementation with async/await support. When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a TCP/TLS stream. This can be triggered by causing the accept call to error out with errors that were not covered correctly causing the accept loop to exit. Upgrading to tonic 0.12.3 and above contains the fix.

Key dates

02Disclosure timeline

October 1, 2024 CVE published
November 21, 2024 Record updated