Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cXYyLTV2cTYtZzJnN84AA1ff
webpki: CPU denial of service in certificate path building
When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in https://github.com/briansmith/webpki/issues/69.
rustls-webpki
is a fork of this crate which contains a fix for this issue and is actively maintained.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cXYyLTV2cTYtZzJnN84AA1ff
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-8qv2-5vq6-g2g7
References:
- https://github.com/crypto-com/sgx-vendor
- https://rustsec.org/advisories/RUSTSEC-2023-0052.html
- https://github.com/briansmith/webpki/issues/69
- https://github.com/briansmith/webpki/issues/69#issuecomment-1699894848
- https://github.com/briansmith/webpki/commit/30a108e0802fd09585e0d071013f24b8272d139b
- https://github.com/advisories/GHSA-8qv2-5vq6-g2g7
Blast Radius: 31.8
Affected Packages
cargo:webpki
Dependent packages: 252Dependent repositories: 17,480
Downloads: 75,067,612 total
Affected Version Ranges: <= 0.22.1
Fixed in: 0.22.2
All affected versions: 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.18.1, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1
All unaffected versions: 0.22.2, 0.22.3, 0.22.4