OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-15 22:04:38 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b40bd2ae822ca05d84ef0bfad0fdd71a8a15883a
advisory-db/crates/openssl/RUSTSEC-2023-0023.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

813 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2023-0023"
package = "openssl"
date = "2023-03-24"
url = "https://github.com/sfackler/rust-openssl/pull/1854"
categories = ["file-disclosure"]
aliases = ["GHSA-9qwg-crg9-m2vc"]

[affected]
functions = { "openssl::x509::extension::SubjectAlternativeName::new" = ["< 0.10.48, >=0.9.7"], "openssl::x509::extension::ExtendedKeyUsage::other" = ["< 0.10.48, >=0.9.7"] }

[versions]
patched = [">= 0.10.48"]

openssl SubjectAlternativeName and ExtendedKeyUsage::other allow arbitrary file read

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.