Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4anItbTZmMy12NXdt
HTTPS MitM vulnerability due to lack of hostname verification
When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.
This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.
The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.
Permalink: https://github.com/advisories/GHSA-9xjr-m6f3-v5wmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4anItbTZmMy12NXdt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 10 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-9xjr-m6f3-v5wm, CVE-2016-10932
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10932
- https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09
- https://rustsec.org/advisories/RUSTSEC-2016-0002.html
- https://github.com/hyperium/hyper/issues/472
- https://github.com/hyperium/hyper/commit/01160abd92956e5f995cc45790df7a2b86c8989f
- https://github.com/advisories/GHSA-9xjr-m6f3-v5wm
Blast Radius: 22.0
Affected Packages
cargo:hyper
Dependent packages: 3,673Dependent repositories: 38,106
Downloads: 142,817,040 total
Affected Version Ranges: < 0.9.4
Fixed in: 0.9.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.6.16, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3
All unaffected versions: 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.17, 0.9.18, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.10.15, 0.10.16, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.11.20, 0.11.21, 0.11.22, 0.11.23, 0.11.24, 0.11.25, 0.11.26, 0.11.27, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 0.12.17, 0.12.18, 0.12.19, 0.12.20, 0.12.21, 0.12.22, 0.12.23, 0.12.24, 0.12.25, 0.12.26, 0.12.27, 0.12.28, 0.12.29, 0.12.30, 0.12.31, 0.12.32, 0.12.33, 0.12.34, 0.12.35, 0.12.36, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.13.7, 0.13.8, 0.13.9, 0.13.10, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14, 0.14.15, 0.14.16, 0.14.17, 0.14.18, 0.14.19, 0.14.20, 0.14.21, 0.14.22, 0.14.23, 0.14.24, 0.14.25, 0.14.26, 0.14.27, 0.14.28, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1