CVE-2016-10931: Improper Certificate Validation in openssl

August 25, 2021 (updated June 13, 2023)

All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks. The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).

References

github.com/advisories/GHSA-34p9-f4q3-c4r7
github.com/sfackler/rust-openssl
github.com/sfackler/rust-openssl/releases/tag/v0.9.0
nvd.nist.gov/vuln/detail/CVE-2016-10931
rustsec.org/advisories/RUSTSEC-2016-0001.html

Detect and mitigate CVE-2016-10931 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →