search

dreamboy9 / fuchsia

https://fuchsia.googlesource.com/fuchsia
BSD 2-Clause "Simplified" License
0 stars 0 forks source link

WS-2023-0195 (Critical) detected in openssl-0.10.26.crate #80

Open mend-bolt-for-github[bot] opened 1 year ago

mend-bolt-for-github[bot] commented 1 year ago

WS-2023-0195 - Critical Severity Vulnerability

Vulnerable Library - openssl-0.10.26.crate

OpenSSL bindings

Library home page: https://crates.io/api/v1/crates/openssl/0.10.26/download

Path to dependency file: /third_party/rust_crates/vendor/trust-dns-resolver/Cargo.toml

Path to vulnerable library: /third_party/rust_crates/vendor/trust-dns-resolver/Cargo.toml

Dependency Hierarchy: - tokio-openssl-0.4.0.crate (Root Library) - :x: **openssl-0.10.26.crate** (Vulnerable Library)

Found in HEAD commit: 4ec0c406a28f193fe6e7376ee7696cca0532d4ba

Found in base branch: master

Vulnerability Details

`openssl` `X509VerifyParamRef::set_host` buffer over-read

Publish Date: 2024-11-03

URL: WS-2023-0195

CVSS 3 Score Details (9.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xcf7-rvmh-g6q4

Release Date: 2023-06-22

Fix Resolution: openssl - 0.10.55

Step up your Open Source Security Game with Mend here