HistoryEdit

RUSTSEC-2017-0003

Hostname verification skipped when custom root certs used

Issued
Package
security-framework (crates.io)
Type
Vulnerability
Keywords
#mitm
Aliases
Details
https://github.com/sfackler/rust-security-framework/pull/27
CVSS Score
5.3 MEDIUM
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Patched
  • >=0.1.12
Keywords
#mitm

Description

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate.

This issue was fixed by properly configuring the trust evaluation logic to perform that check.