Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1maDJyLTk5cTItNm1tZ84AA1as
rustls-webpki: CPU denial of service in certificate path building
When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
We now give each path building operation a budget of 100 signature verifications.
The original webpki crate is also affected, see GHSA-8qv2-5vq6-g2g7.
This was previously reported in the original crate https://github.com/briansmith/webpki/issues/69 and re-reported to us recently.
Permalink: https://github.com/advisories/GHSA-fh2r-99q2-6mmgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1maDJyLTk5cTItNm1tZ84AA1as
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-fh2r-99q2-6mmg
References:
- https://github.com/rustls/webpki/commit/4ea052366f342a06344aab589565179b59b342d3
- https://github.com/rustls/webpki/commit/dcad2406c92169b72c110dd12183fcc74035b683
- https://rustsec.org/advisories/RUSTSEC-2023-0053.html
- https://github.com/advisories/GHSA-8qv2-5vq6-g2g7
- https://github.com/advisories/GHSA-fh2r-99q2-6mmg
Blast Radius: 27.5
Affected Packages
cargo:rustls-webpki
Dependent packages: 65Dependent repositories: 4,654
Downloads: 105,645,556 total
Affected Version Ranges: >= 0.101.0, < 0.101.4, < 0.100.2
Fixed in: 0.101.4, 0.100.2
All affected versions: 0.100.0, 0.100.1, 0.101.0, 0.101.1, 0.101.2, 0.101.3
All unaffected versions: 0.100.2, 0.100.3, 0.101.4, 0.101.5, 0.101.6, 0.101.7, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.102.4, 0.102.5, 0.102.6, 0.102.7, 0.102.8