Reported

August 22, 2023

Issued

August 22, 2023 (last modified: September 30, 2023)

Package

webpki (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Keywords

#certificate #path-building #x509

Aliases

• GHSA-8qv2-5vq6-g2g7

Related

• CVE-2018-16875

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=0.22.2

Description

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in https://github.com/briansmith/webpki/issues/69 and re-reported recently by Luke Malinowski.

webpki 0.22.1 included a partial fix and webpki 0.22.2 added further fixes.

Advisory available under CC0-1.0 license.