CVE-2016-10931 – openssl

Package

Manager: cargo
Name: openssl
Vulnerable Version: >=0 <0.9.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00183 pctl0.40257

Details

Improper Certificate Validation in openssl All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks. The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

Metadata

Created: 2021-08-25T20:43:11Z
Modified: 2023-06-13T20:14:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-34p9-f4q3-c4r7/GHSA-34p9-f4q3-c4r7.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-34p9-f4q3-c4r7
Finding: F163
Auto approve: 1