CVE-2024-28854
HIGHtls-listener < 0.10.0 - Denial of Service via Slowloris Attack
Title source: llmDescription
tls-listener is a rust lang wrapper around a connection listener to support TLS. With the default configuration of tls-listener, a malicious user can open 6.4 `TcpStream`s a second, sending 0 bytes, and can trigger a DoS. The default configuration options make any public service using `TlsListener::new()` vulnerable to a slow-loris DoS attack. This impacts any publicly accessible service using the default configuration of tls-listener in versions prior to 0.10.0. Users are advised to upgrade. Users unable to upgrade may mitigate this by passing a large value, such as `usize::MAX` as the parameter to `Builder::max_handshakes`.
References (3)
Core 3
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/tmccombs/tls-listener/security/advisories/GHSA-2qph-qpvm-2qf7
Patch x_refsource_misc
https://github.com/tmccombs/tls-listener/commit/d5a7655d6ea9e53ab57c3013092c5576da964bc4
Product x_refsource_misc
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Scores
CVSS v3
7.5
EPSS
0.0096
EPSS Percentile
57.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
Status
published
Products (2)
crates.io/tls-listener
0 - 0.10.0crates.io
tmccombs/tls-listener
< 0.10.0
Published
Mar 15, 2024
Tracked Since
Feb 18, 2026