- Reported
-
- Issued
-
- Package
-
openssl
(crates.io)
- Type
-
Vulnerability
- Keywords
-
#ssl
#mitm
- Aliases
-
- References
-
- CVSS Score
- 8.1
HIGH
- CVSS Details
-
- Attack vector
- Network
- Attack complexity
- High
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
- CVSS Vector
- CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Patched
-
Description
All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults
including off-by-default certificate verification and no API to perform hostname
verification.
Unless configured correctly by a developer, these defaults could allow an attacker
to perform man-in-the-middle attacks.
The problem was addressed in newer versions by enabling certificate verification
by default and exposing APIs to perform hostname verification. Use the
SslConnector
and SslAcceptor
types to take advantage of these new features
(as opposed to the lower-level SslContext
type).
Advisory available under CC0-1.0
license.