CVE-2016-10931 — Improper Certificate Validation in Project Rust-openssl

CWE-295 — Improper Certificate Validation5 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.2%

top 60.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rust-openssl Project Rust-openssl Openssl Debian Rust-openssl

Timeline

PublishedAug 26

Latest updateAug 25

Description

An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for hostname verification.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDrust-openssl_project/rust-openssl< 0.9.0

▶debiandebian/rust-openssl

▶crates.ioopenssl/openssl0.0.0-0 — 0.9.0+1

🔴Vulnerability Details

GHSA

Improper Certificate Validation in openssl↗2021-08-25

▶

OSV

Improper Certificate Validation in openssl↗2021-08-25

▶

OSV

SSL/TLS MitM vulnerability due to insecure defaults↗2016-11-05

▶

📋Vendor Advisories

Debian

CVE-2016-10931: rust-openssl - An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an ...↗2016

▶