search

Dima2021 / cargo-audit

Audit Cargo.lock files for crates with security vulnerabilities
https://rustsec.org/
Apache License 2.0
0 stars 0 forks source link

CVE-2021-3449 (Medium) detected in openssl-src-111.14.0+1.1.1j.crate - autoclosed #6

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 3 years ago

CVE-2021-3449 - Medium Severity Vulnerability

Vulnerable Library - openssl-src-111.14.0+1.1.1j.crate

Source of OpenSSL and logic to build it.

Library home page: https://crates.io/api/v1/crates/openssl-src/111.14.0+1.1.1j/download

Dependency Hierarchy: - rustsec-0.23.3.crate (Root Library) - cargo-edit-0.7.0.crate - reqwest-0.10.10.crate - tokio-tls-0.3.1.crate - native-tls-0.2.7.crate - openssl-0.10.32.crate - openssl-sys-0.9.60.crate - :x: **openssl-src-111.14.0+1.1.1j.crate** (Vulnerable Library)

Found in HEAD commit: 91b6c7a5fffc4969d7d1185aecc6179ebcf18f48

Found in base branch: main

Vulnerability Details

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Publish Date: 2021-03-25

URL: CVE-2021-3449

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449

Release Date: 2021-03-25

Fix Resolution: 1.1.1k

mend-for-github-com[bot] commented 3 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

mend-for-github-com[bot] commented 3 years ago

:information_source: This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.