GHSA-fh2r-99q2-6mmg: rustls-webpki: CPU denial of service in certificate path building

August 22, 2023 (updated September 19, 2023)

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

We now give each path building operation a budget of 100 signature verifications.

The original webpki crate is also affected, see GHSA-8qv2-5vq6-g2g7.

This was previously reported in the original crate https://github.com/briansmith/webpki/issues/69 and re-reported to us recently.

References

github.com/advisories/GHSA-8qv2-5vq6-g2g7
github.com/advisories/GHSA-fh2r-99q2-6mmg
github.com/rustls/webpki
github.com/rustls/webpki/commit/4ea052366f342a06344aab589565179b59b342d3
github.com/rustls/webpki/commit/dcad2406c92169b72c110dd12183fcc74035b683
rustsec.org/advisories/RUSTSEC-2023-0053.html

Detect and mitigate GHSA-fh2r-99q2-6mmg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →