Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability discovered in Tungstenite #2550

Closed
c-git opened this issue Oct 4, 2023 · 0 comments · Fixed by #2573
Closed

Vulnerability discovered in Tungstenite #2550

c-git opened this issue Oct 4, 2023 · 0 comments · Fixed by #2573
Labels
dependencies Related to Serenity dependencies.

Comments

@c-git
Copy link

c-git commented Oct 4, 2023

A vulnerability has been discovered in the version of Tungstenite used in this crate. Unfortunately, upgrading to the newest version causes this crate to no longer compile. Not sure what the best way forward is. Creating this issue to raise awareness and hopefully find a way to be able to upgrade.

To generate the output below requires cargo deny to be installed cargo install cargo-deny

Output of cargo deny check advisories

2023-10-04 22:42:09 [WARN] unable to find a config path, falling back to default config
error[vulnerability]: Tungstenite allows remote attackers to cause a denial of service
    ┌─ /home/user/serenity/Cargo.lock:137:1
    │
137 │ tungstenite 0.17.3 registry+https://github.com/rust-lang/crates.io-index
    │ ------------------------------------------------------------------------ security vulnerability detected
    │
    = ID: RUSTSEC-2023-0065
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0065
    = The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause
      a denial of service (minutes of CPU consumption) via an excessive length of an
      HTTP header in a client handshake. The length affects both how many times a parse
      is attempted (e.g., thousands of times) and the average amount of data for each
      parse attempt (e.g., millions of bytes).
    = Announcement: https://github.com/snapview/tungstenite-rs/issues/376
    = Solution: Upgrade to >=0.20.1
    = tungstenite v0.17.3
      └── async-tungstenite v0.17.2
          └── serenity v0.11.6

advisories FAILED

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Related to Serenity dependencies.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants