RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #1285

github-actions · 2023-08-23T00:03:27Z

webpki: CPU denial of service in certificate path building

Details
Package	`webpki`
Version	`0.22.0`
Date	2023-08-22

When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in
<briansmith/webpki#69> and re-reported recently
by Luke Malinowski.

rustls-webpki is a fork of this crate which contains a fix for this issue
and is actively maintained.

See advisory page for additional details.

The text was updated successfully, but these errors were encountered:

clux · 2023-08-23T07:45:38Z

We only have rustls-webpki in our dependency tree.

$ cargo tree --all-features |grep webpki
│   │   │   ├── rustls-webpki v0.101.3

clux closed this as completed Aug 23, 2023

clux added invalid rejected as a valid issue security related to advisories or CVEs labels Aug 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #1285

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #1285

github-actions bot commented Aug 23, 2023

clux commented Aug 23, 2023

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #1285

RUSTSEC-2023-0052: webpki: CPU denial of service in certificate path building #1285

Comments

github-actions bot commented Aug 23, 2023

clux commented Aug 23, 2023