RUSTSEC-2017-0003

Hostname verification skipped when custom root certs used

Reported

March 15, 2017

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

security-framework (crates.io)

Type

Vulnerability

Keywords

#mitm

Aliases

CVE-2017-18588
GHSA-jqqr-c2r2-9cvr

References

https://github.com/sfackler/rust-security-framework/pull/27

CVSS Score

5.3 MEDIUM

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Patched

>=0.1.12

Description

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate.

This issue was fixed by properly configuring the trust evaluation logic to perform that check.

Advisory available under CC0-1.0 license.