GHSA-9xjr-m6f3-v5wm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9xjr-m6f3-v5wm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-9xjr-m6f3-v5wm/GHSA-9xjr-m6f3-v5wm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9xjr-m6f3-v5wm
- Aliases
- Published
- 2021-08-25T20:43:06Z
- Modified
- 2023-11-08T03:58:21.636340Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- HTTPS MitM vulnerability due to lack of hostname verification
- Details
-
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.
This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.
The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-347" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-08-19T21:25:12Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-10932
- https://github.com/hyperium/hyper/issues/472
- https://github.com/hyperium/hyper/commit/01160abd92956e5f995cc45790df7a2b86c8989f
- https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09
- https://rustsec.org/advisories/RUSTSEC-2016-0002.html
Affected packages
crates.io / hyper
Package
- Name
- hyper
- View open source insights on deps.dev
- Purl
- pkg:cargo/hyper