RUSTSEC-2017-0003

Hostname verification skipped when custom root certs used

Issued

March 15, 2017

Package

security-framework (crates.io)

Type

Vulnerability

Keywords

#mitm

Aliases

CVE-2017-18588

Details

https://github.com/sfackler/rust-security-framework/pull/27

CVSS Score

5.3 MEDIUM

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Patched

>=0.1.12

Description

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate.

This issue was fixed by properly configuring the trust evaluation logic to perform that check.