CVE-2016-10932 – hyper

Package

Manager: cargo
Name: hyper
Vulnerable Version: >=0 <0.9.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00203 pctl0.42617

Details

HTTPS MitM vulnerability due to lack of hostname verification When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests. This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch. The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.

Metadata

Created: 2021-08-25T20:43:06Z
Modified: 2023-06-13T17:38:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-9xjr-m6f3-v5wm/GHSA-9xjr-m6f3-v5wm.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-9xjr-m6f3-v5wm
Finding: F163
Auto approve: 1