OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-31 16:50:28 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8701fad2d40aeca8e8564692f14a8d7c30a5136
advisory-db/crates/hyper/RUSTSEC-2016-0002.md
Tony Arcieri 84f130870b Rename references fields to related (#492) 
This frees up `references` to be used for tracking multiple URLs with
additional information.

See also: RustSec/advisory-db#429
2020-11-23 07:55:17 -08:00

787 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2016-0002"
package = "hyper"
date = "2016-05-09"
aliases = ["CVE-2016-10932"]
related = ["RUSTSEC-2016-0001"]
categories = ["crypto-failure"]
keywords = ["ssl", "mitm"]
url = "https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"

[affected]
os = ["windows"]

[versions]
patched = [">= 0.9.4"]

HTTPS MitM vulnerability due to lack of hostname verification

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.