RUSTSEC-2016-0001

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2016-0001

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2016-0001.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2016-0001

Aliases

Related

RUSTSEC-2016-0002

Published

2016-11-05T12:00:00Z

Modified

2023-11-08T03:58:21.575910Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SSL/TLS MitM vulnerability due to insecure defaults

Details

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification.

Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks.

The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / openssl

Package

Name: openssl; View open source insights on deps.dev
Purl: pkg:cargo/openssl

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.9.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "informational": null,
    "categories": []
}