HistoryEdit

RUSTSEC-2016-0002

HTTPS MitM vulnerability due to lack of hostname verification

Issued
Package
hyper (crates.io)
Type
Vulnerability
Categories
Keywords
#ssl #mitm
Aliases
Details
https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09
CVSS Score
4.8 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Patched
  • >=0.9.4
Affected OSes
  • windows

Description

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.