CVE-2017-18588 – security-framework

Package

Manager: cargo
Name: security-framework
Vulnerable Version: >=0 <0.1.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00104 pctl0.28986

Details

Improper Certificate Validation in security-framework If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate. This issue was fixed by properly configuring the trust evaluation logic to perform that check.

Metadata

Created: 2021-08-25T20:42:59Z
Modified: 2023-06-13T20:37:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-jqqr-c2r2-9cvr/GHSA-jqqr-c2r2-9cvr.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-jqqr-c2r2-9cvr
Finding: F163
Auto approve: 1