Skip to content

Commit

Permalink
Add patched version to RUSTSEC-2023-0029 (#1817)
Browse files Browse the repository at this point in the history
  • Loading branch information
@paolobarbolini
paolobarbolini authored Nov 8, 2023
1 parent 378e212 commit 0f4e16f
Showing 1 changed file with 1 addition and 5 deletions.
6 changes: 1 addition & 5 deletions crates/nats/RUSTSEC-2023-0029.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,14 @@ keywords = ["tls", "mitm"]
aliases = ["GHSA-wvc4-j7g5-4f79"]

[versions]
patched = []
patched = [">=0.24.1"]
unaffected = ["< 0.9.0"]
```

# TLS certificate common name validation bypass

The NATS official Rust clients are vulnerable to MitM when using TLS.

A fix for the `nats` crate hasn't been released yet. Since the `nats` crate
is going to be deprecated anyway, consider switching to `async-nats` `>= 0.29`
which already fixed this vulnerability.

The common name of the server's TLS certificate is validated against
the `host`name provided by the server's plaintext `INFO` message
during the initial connection setup phase. A MitM proxy can tamper with
Expand Down

0 comments on commit 0f4e16f

Please sign in to comment.