Reported

May 9, 2016

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

hyper (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#ssl #mitm

Aliases

• CVE-2016-10932
• GHSA-9xjr-m6f3-v5wm

References

• https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09

Related

• RUSTSEC-2016-0001

CVSS Score

4.8 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Patched

• >=0.9.4

Affected OSes

• windows

Description

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.

Advisory available under CC0-1.0 license.