GHSA-9qwg-crg9-m2vc

Source
https://github.com/advisories/GHSA-9qwg-crg9-m2vc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-9qwg-crg9-m2vc/GHSA-9qwg-crg9-m2vc.json
Aliases
Published
2023-03-24T22:01:29Z
Modified
2023-11-08T04:18:04.563523Z
Summary
`openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read
Details

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.

References

Affected packages

crates.io / openssl

Package

Name
openssl

Affected ranges

Type
SEMVER
Events
Introduced
0.9.7
Fixed
0.10.48