CVE-2016-10932: HTTPS MitM vulnerability due to lack of hostname verification

August 25, 2021 (updated June 13, 2023)

When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not perform hostname verification when making HTTPS requests.

This allows an attacker to perform MitM attacks by preventing any valid CA-issued certificate, even if there’s a hostname mismatch.

The problem was addressed by leveraging rust-openssl’s built-in support for hostname verification.

References

github.com/advisories/GHSA-9xjr-m6f3-v5wm
github.com/hyperium/hyper/blob/master/CHANGELOG.md
github.com/hyperium/hyper/commit/01160abd92956e5f995cc45790df7a2b86c8989f
github.com/hyperium/hyper/issues/472
nvd.nist.gov/vuln/detail/CVE-2016-10932
rustsec.org/advisories/RUSTSEC-2016-0002.html

Detect and mitigate CVE-2016-10932 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →