Headline
GHSA-8qv2-5vq6-g2g7: webpki: CPU denial of service in certificate path building
When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in https://github.com/briansmith/webpki/issues/69 and re-reported recently by Luke Malinowski.
rustls-webpki is a fork of this crate which contains a fix for this issue
and is actively maintained.
Package
cargo webpki (Rust)
Affected versions
<= 0.22.0
Patched versions
None
Description
When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
briansmith/webpki#69 and re-reported recently
by Luke Malinowski.
rustls-webpki is a fork of this crate which contains a fix for this issue
and is actively maintained.
References
- https://github.com/crypto-com/sgx-vendor
- https://rustsec.org/advisories/RUSTSEC-2023-0052.html
Published to the GitHub Advisory Database
Aug 25, 2023
Reviewed
Aug 25, 2023