GHSA-8qv2-5vq6-g2g7: webpki: CPU denial of service in certificate path building

August 25, 2023 (updated September 6, 2023)

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in https://github.com/briansmith/webpki/issues/69.

rustls-webpki is a fork of this crate which contains a fix for this issue and is actively maintained.

References

github.com/advisories/GHSA-8qv2-5vq6-g2g7
github.com/briansmith/webpki
github.com/briansmith/webpki/commit/30a108e0802fd09585e0d071013f24b8272d139b
github.com/briansmith/webpki/issues/69
github.com/briansmith/webpki/issues/69
github.com/crypto-com/sgx-vendor
rustsec.org/advisories/RUSTSEC-2023-0052.html

Code Behaviors & Features

Detect and mitigate GHSA-8qv2-5vq6-g2g7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →