GHSA-3GXF-9R58-2GHG - Vulnerability-Lookup

GHSA-3GXF-9R58-2GHG

Vulnerability from github – Published: 2023-03-24 22:01 – Updated: 2023-03-24 22:01

Summary

`openssl` `X509NameBuilder::build` returned object is not thread safe

Details

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.7"
            },
            {
              "fixed": "0.10.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-24T22:01:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.\n\nThanks to David Benjamin (Google) for reporting this issue.\n",
  "id": "GHSA-3gxf-9r58-2ghg",
  "modified": "2023-03-24T22:01:35Z",
  "published": "2023-03-24T22:01:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sfackler/rust-openssl/pull/1854"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "`openssl` `X509NameBuilder::build` returned object is not thread safe"
}

ghsa-3gxf-9r58-2ghg

Vulnerability from osv_rustsec

Published

2023-03-24 12:00

Modified

2023-06-13 13:10

Summary

`openssl` `X509NameBuilder::build` returned object is not thread safe

Details

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "thread-safety"
        ],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "openssl::x509::X509NameBuilder::build"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl",
        "purl": "pkg:cargo/openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "0.10.48"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "GHSA-3gxf-9r58-2ghg"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this\nbit is set then the object is not thread-safe even when it appears the code is\nnot modifying the value.\n\nThanks to David Benjamin (Google) for reporting this issue.",
  "id": "RUSTSEC-2023-0022",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2023-03-24T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/openssl"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0022.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sfackler/rust-openssl/pull/1854"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "`openssl` `X509NameBuilder::build` returned object is not thread safe"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.