HSEC-2023-0005

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0005.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2023-0005

Aliases

CVE-2013-0243

Published

2023-07-19T13:29:39Z

Modified

2023-12-13T13:05:26.363609Z

Summary

tls-extra: certificate validation does not check Basic Constraints

Details

tls-extra: certificate validation does not check Basic Constraints

tls-extra does not check the Basic Constraints extension of a certificate in certificate chain processing. Any certificate is treated as a CA certificate. As a consequence, anyone who has a valid certificate can use it to sign another one (with an arbitrary subject DN/domain name embedded into it) and have it accepted by tls. This allows MITM attacks on TLS connections.

References

Affected packages

Hackage / tls-extra

Package

Name: tls-extra
Purl: pkg:hackage/tls-extra

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Fixed

0.4.6.1

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.2

0.2.3

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.2.1

0.4.3

0.4.4

0.4.5

0.4.6