CGA-6cf8-49j8-g8m2

Published

Last updated

https://images.chainguard.dev/security/CGA-6cf8-49j8-g8m2

Package

buck2

Latest Update

Pending upstream fix

Aliases

GHSA-8qv2-5vq6-g2g7

Severity

7.5

High

CVSS V3

Summary

webpki: CPU denial of service in certificate path building

Description

When this crate is given a pathological certificate chain to validate, it will spend CPU time exponential with the number of candidate certificates at each step of path building.

Both TLS clients and TLS servers that accept client certificate are affected.

This was previously reported in https://github.com/briansmith/webpki/issues/69.

rustls-webpki is a fork of this crate which contains a fix for this issue and is actively maintained.

References

https://github.com/advisories/GHSA-8qv2-5vq6-g2g7
https://github.com/briansmith/webpki/issues/69
https://github.com/briansmith/webpki/issues/69#issuecomment-1699894848
https://github.com/briansmith/webpki/commit/30a108e0802fd09585e0d071013f24b8272d139b
https://github.com/briansmith/webpki
https://github.com/crypto-com/sgx-vendor
https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-6cf8-49j8-g8m2

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources