Skip to content

HTTPS MitM vulnerability due to lack of hostname verification

Moderate severity GitHub Reviewed Published Aug 25, 2021 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo hyper (Rust)

Affected versions

< 0.9.4

Patched versions

0.9.4

Description

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there's a hostname mismatch.

The problem was addressed by leveraging rust-openssl's built-in support for hostname verification.

References

Reviewed Aug 19, 2021
Published to the GitHub Advisory Database Aug 25, 2021
Last updated Jun 13, 2023

Severity

Moderate
4.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2016-10932

GHSA ID

GHSA-9xjr-m6f3-v5wm

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.