RUSTSEC-2024-0010

See a problem?

Source

https://rustsec.org/advisories/RUSTSEC-2024-0010

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0010.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2024-0010

Aliases

Published

2024-02-06T12:00:00Z

Modified

2024-02-15T01:26:41.857241Z

Summary

Improper comparison of different-length signatures

Details

The Webhook::verify function incorrectly compared signatures of different lengths - the two signatures would only be compared up to the length of the shorter signature. This allowed an attacker to pass in v1, as the signature, which would always pass verification.

References

Affected packages

crates.io / svix

Package

Name: svix; View open source insights on deps.dev
Purl: pkg:cargo/svix

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

1.17.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "svix::webhooks::Webhook::verify"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "crypto-failure"
    ]
}