RUSTSEC-2016-0002

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2016-0002

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2016-0002.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2016-0002

Aliases

Related

RUSTSEC-2016-0001

Published

2016-05-09T12:00:00Z

Modified

2023-11-08T03:58:21.636340Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

HTTPS MitM vulnerability due to lack of hostname verification

Details

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / hyper

Package

Name: hyper; View open source insights on deps.dev
Purl: pkg:cargo/hyper

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.9.4

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [
            "windows"
        ],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "informational": null,
    "categories": [
        "crypto-failure"
    ]
}