CVE-2017-18588: Improper Certificate Validation in security-framework

August 25, 2021 (updated June 13, 2023)

If custom root certificates were registered with a ClientBuilder, the hostname of the target server would not be validated against its presented leaf certificate. This issue was fixed by properly configuring the trust evaluation logic to perform that check.

References

github.com/advisories/GHSA-jqqr-c2r2-9cvr
github.com/sfackler/rust-security-framework
github.com/sfackler/rust-security-framework/pull/27
nvd.nist.gov/vuln/detail/CVE-2017-18588
rustsec.org/advisories/RUSTSEC-2017-0003.html

Code Behaviors & Features

Detect and mitigate CVE-2017-18588 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →