GHSA-34p9-f4q3-c4r7

Suggest an improvement
Source
https://github.com/advisories/GHSA-34p9-f4q3-c4r7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-34p9-f4q3-c4r7/GHSA-34p9-f4q3-c4r7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-34p9-f4q3-c4r7
Aliases
Published
2021-08-25T20:43:11Z
Modified
2023-11-08T03:58:21.575910Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Improper Certificate Validation in openssl
Details

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks. The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

Database specific 
{
    "nvd_published_at": "2019-08-26T12:15:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:25:06Z"
}
References

Affected packages

crates.io / openssl

Package

Name
openssl
View open source insights on deps.dev
Purl
pkg:cargo/openssl

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.0