6 matches found
NATS TLS certificate common name validation bypass
The NATS official Rust clients are vulnerable to MitM when using TLS. A fix for the nats crate hasn't been released yet. Since the nats crate is going to be deprecated anyway, consider switching to async-nats = 0.29 which already fixed this vulnerability. The common name of the server's TLS...
GHSA-WVC4-J7G5-4F79 NATS TLS certificate common name validation bypass
The NATS official Rust clients are vulnerable to MitM when using TLS. A fix for the nats crate hasn't been released yet. Since the nats crate is going to be deprecated anyway, consider switching to async-nats = 0.29 which already fixed this vulnerability. The common name of the server's TLS...
GHSA-F5V5-CCQC-6W36 async-nats vulnerable to TLS certificate common name validation bypass
The NATS official Rust clients are vulnerable to MitM when using TLS. The common name of the server's TLS certificate is validated against the hostname provided by the server's plaintext INFO message during the initial connection setup phase. A MitM proxy can tamper with the host field's value by...
core-lib (>=0.1.0 <=0.2.0), eventsourced-nats (>=0.1.0 <=0.6.0) +25 more potentially affected by unknown CVE via async-nats (>=0.10.1 <=0.27.1)
async-nats CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.7.0, =0.26.0, =0.25.0, =0.12.0, =0.9.0, =0.16.0, =0.3.0, =0.4.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-F5V5-CCQC-6W36...
core-lib (>=0.1.0 <=0.2.0), eventsourced-nats (>=0.1.0 <=0.6.0) +25 more potentially affected by unknown CVE via async-nats (>=0.10.1 <=0.27.1)
async-nats CARGO version =0.10.1, =0.1.0, =0.1.0, =0.1.0, =0.7.0, =0.26.0, =0.25.0, =0.12.0, =0.9.0, =0.16.0, =0.3.0, =0.4.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2023-0027...
TLS certificate common name validation bypass
The NATS official Rust clients are vulnerable to MitM when using TLS. The common name of the server's TLS certificate is validated against the hostname provided by the server's plaintext INFO message during the initial connection setup phase. A MitM proxy can tamper with the host field's value by...