{"ecosystem":"cargo","package":"openssl","version":null,"bugs":[{"id":917,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.9.7","fixed_version":"0.10.48","bug_id":"osv:GHSA-9qwg-crg9-m2vc","title":"`openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read","description":"`SubjectAlternativeName` and `ExtendedKeyUsage` arguments were parsed using the OpenSSL function `X509V3_EXT_nconf`. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.\n\nThanks to David Benjamin (Google) for reporting this issue.\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/pull/1854","labels":["RUSTSEC-2023-0023"],"created_at":"2026-04-19T04:32:14.663427+00:00","updated_at":"2026-04-19T04:32:14.663427+00:00"},{"id":916,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.9.7","fixed_version":"0.10.48","bug_id":"osv:GHSA-6hcf-g6gr-hhcr","title":"`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference","description":"These functions would crash when the context argument was None with certain extension types.\n\nThanks to David Benjamin (Google) for reporting this issue.\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/pull/1854","labels":["RUSTSEC-2023-0024"],"created_at":"2026-04-19T04:32:14.663015+00:00","updated_at":"2026-04-19T04:32:14.663015+00:00"},{"id":913,"ecosystem":"cargo","package_name":"openssl","affected_version":null,"fixed_version":"0.9.0","bug_id":"osv:GHSA-34p9-f4q3-c4r7","title":"Improper Certificate Validation in openssl","description":"All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults including off-by-default certificate verification and no API to perform hostname verification. Unless configured correctly by a developer, these defaults could allow an attacker to perform man-in-the-middle attacks. The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification. Use the SslConnector and SslAcceptor types to take advantage of these new features (as opposed to the lower-level SslContext type).","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10931","labels":["CVE-2016-10931","RUSTSEC-2016-0001"],"created_at":"2026-04-19T04:32:14.661153+00:00","updated_at":"2026-04-19T04:32:14.661153+00:00"},{"id":932,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.39","fixed_version":"0.10.72","bug_id":"osv:RUSTSEC-2025-0022","title":"Use-After-Free in `Md::fetch` and `Cipher::fetch`","description":"When a `Some(...)` value was passed to the `properties` argument of either of these functions, a use-after-free would result.\n\nIn practice this would nearly always result in OpenSSL treating the properties as an empty string (due to `CString::drop`'s behavior).\n\nThe maintainers thank [quitbug](https://github.com/quitbug/) for reporting this vulnerability to us.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-4fcv-w3qc-ppgg"],"created_at":"2026-04-19T04:32:14.669694+00:00","updated_at":"2026-04-19T04:32:14.669694+00:00"},{"id":931,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.70","bug_id":"osv:RUSTSEC-2025-0004","title":"ssl::select_next_proto use after free","description":"In `openssl` versions before `0.10.70`, `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.\n\n`openssl` 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers.\n\nIn standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. For example:\n\nNot vulnerable - the server buffer has a `'static` lifetime:\n```rust\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    ssl::select_next_proto(b\"\\x02h2\", client_protos).ok_or_else(AlpnError::NOACK)\n});\n```\n\nNot vulnerable - the server buffer outlives the handshake:\n```rust\nlet server_protos = b\"\\x02h2\".to_vec();\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)\n});\n```\n\nVulnerable - the server buffer is freed when the callback returns:\n```rust\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    let server_protos = b\"\\x02h2\".to_vec();\n    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)\n});\n```","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["CVE-2025-24898","GHSA-rpmj-rpgj-qmpm"],"created_at":"2026-04-19T04:32:14.669252+00:00","updated_at":"2026-04-19T04:32:14.669252+00:00"},{"id":930,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.66","bug_id":"osv:RUSTSEC-2024-0357","title":"`MemBio::get_buf` has undefined behavior with empty buffers","description":"Previously, `MemBio::get_buf` called `slice::from_raw_parts` with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-q445-7m23-qrmw"],"created_at":"2026-04-19T04:32:14.668870+00:00","updated_at":"2026-04-19T04:32:14.668870+00:00"},{"id":929,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.60","bug_id":"osv:RUSTSEC-2023-0072","title":"`openssl` `X509StoreRef::objects` is unsound","description":"This function returned a shared reference into an OpenSSL datastructure but did not account for interior mutability. OpenSSL may modify the data behind this reference, meaning accesses can race and the reference is unsound.\n\nUse of this function should be replaced with `X509StoreRef::all_certificates`.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-xphf-cx8h-7q9g"],"created_at":"2026-04-19T04:32:14.668499+00:00","updated_at":"2026-04-19T04:32:14.668499+00:00"},{"id":928,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.55","bug_id":"osv:RUSTSEC-2023-0044","title":"`openssl` `X509VerifyParamRef::set_host` buffer over-read","description":"When this function was passed an empty string, `openssl` would attempt to call `strlen` on it, reading arbitrary memory until it reached a NUL byte.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["CVE-2023-53159","GHSA-xcf7-rvmh-g6q4"],"created_at":"2026-04-19T04:32:14.668116+00:00","updated_at":"2026-04-19T04:32:14.668116+00:00"},{"id":927,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.48","bug_id":"osv:RUSTSEC-2023-0024","title":"`openssl` `X509Extension::new` and `X509Extension::new_nid` null pointer dereference","description":"These functions would crash when the context argument was None with certain extension types.\n\nThanks to David Benjamin (Google) for reporting this issue.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-6hcf-g6gr-hhcr"],"created_at":"2026-04-19T04:32:14.667715+00:00","updated_at":"2026-04-19T04:32:14.667715+00:00"},{"id":926,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.48","bug_id":"osv:RUSTSEC-2023-0023","title":"`openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read","description":"`SubjectAlternativeName` and `ExtendedKeyUsage` arguments were parsed using the OpenSSL\nfunction `X509V3_EXT_nconf`. This function parses all input using an OpenSSL mini-language\nwhich can perform arbitrary file reads.\n\nThanks to David Benjamin (Google) for reporting this issue.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-9qwg-crg9-m2vc"],"created_at":"2026-04-19T04:32:14.667089+00:00","updated_at":"2026-04-19T04:32:14.667089+00:00"},{"id":925,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.10.48","bug_id":"osv:RUSTSEC-2023-0022","title":"`openssl` `X509NameBuilder::build` returned object is not thread safe","description":"OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this\nbit is set then the object is not thread-safe even when it appears the code is\nnot modifying the value.\n\nThanks to David Benjamin (Google) for reporting this issue.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["GHSA-3gxf-9r58-2ghg"],"created_at":"2026-04-19T04:32:14.666678+00:00","updated_at":"2026-04-19T04:32:14.666678+00:00"},{"id":924,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.8","fixed_version":"0.10.9","bug_id":"osv:RUSTSEC-2018-0010","title":"Use after free in CMS Signing","description":"Affected versions of the OpenSSL crate used structures after they'd been freed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["CVE-2018-20997","GHSA-xjxc-vfw2-cg96"],"created_at":"2026-04-19T04:32:14.666276+00:00","updated_at":"2026-04-19T04:32:14.666276+00:00"},{"id":923,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.0.0-0","fixed_version":"0.9.0","bug_id":"osv:RUSTSEC-2016-0001","title":"SSL/TLS MitM vulnerability due to insecure defaults","description":"All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/openssl","labels":["CVE-2016-10931","GHSA-34p9-f4q3-c4r7"],"created_at":"2026-04-19T04:32:14.665901+00:00","updated_at":"2026-04-19T04:32:14.665901+00:00"},{"id":922,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.29","fixed_version":"0.10.60","bug_id":"osv:GHSA-xphf-cx8h-7q9g","title":"`openssl` `X509StoreRef::objects` is unsound","description":"This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.\n\nUse of this function should be replaced with `X509StoreRef::all_certificates`.\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/issues/2096","labels":["RUSTSEC-2023-0072"],"created_at":"2026-04-19T04:32:14.665518+00:00","updated_at":"2026-04-19T04:32:14.665518+00:00"},{"id":920,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.0","fixed_version":"0.10.55","bug_id":"osv:GHSA-xcf7-rvmh-g6q4","title":"`openssl` `X509VerifyParamRef::set_host` buffer over-read","description":"When this function was passed an empty string, `openssl` would attempt to call `strlen` on it, reading arbitrary memory until it reached a NUL byte.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53159","labels":["CVE-2023-53159","RUSTSEC-2023-0044"],"created_at":"2026-04-19T04:32:14.664723+00:00","updated_at":"2026-04-19T04:32:14.664723+00:00"},{"id":919,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.0","fixed_version":"0.10.70","bug_id":"osv:GHSA-rpmj-rpgj-qmpm","title":"rust-openssl ssl::select_next_proto use after free","description":"### Impact\n`ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.\n\n### Patches\n`openssl` 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers.\n\n### Workarounds\nIn standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. For example:\n\nNot vulnerable - the server buffer has a `'static` lifetime:\n```rust\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    ssl::select_next_proto(b\"\\x02h2\", client_protos).ok_or_else(AlpnError::NOACK)\n});\n```\n\nNot vulnerable - the server buffer outlives the handshake:\n```rust\nlet server_protos = b\"\\x02h2\".to_vec();\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)\n});\n```\n\nVulnerable - the server buffer is freed when the callback returns:\n```rust\nbuilder.set_alpn_select_callback(|_, client_protos| {\n    let server_protos = b\"\\x02h2\".to_vec();\n    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)\n});\n```\n\n### References\nhttps://github.com/sfackler/rust-openssl/pull/2360","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/security/advisories/GHSA-rpmj-rpgj-qmpm","labels":["CVE-2025-24898","RUSTSEC-2025-0004"],"created_at":"2026-04-19T04:32:14.664231+00:00","updated_at":"2026-04-19T04:32:14.664231+00:00"},{"id":918,"ecosystem":"cargo","package_name":"openssl","affected_version":null,"fixed_version":"0.10.66","bug_id":"osv:GHSA-q445-7m23-qrmw","title":"openssl's `MemBio::get_buf` has undefined behavior with empty buffers","description":"Previously, `MemBio::get_buf` called `slice::from_raw_parts` with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/pull/2266","labels":["RUSTSEC-2024-0357"],"created_at":"2026-04-19T04:32:14.663829+00:00","updated_at":"2026-04-19T04:32:14.663829+00:00"},{"id":915,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.39","fixed_version":"0.10.72","bug_id":"osv:GHSA-4fcv-w3qc-ppgg","title":"rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`","description":"When a `Some(...)` value was passed to the `properties` argument of either of these functions, a use-after-free would result.\n\nIn practice this would nearly always result in OpenSSL treating the properties as an empty string (due to `CString::drop`'s behavior).\n\nThe maintainers thank [quitbug](https://github.com/quitbug/) for reporting this vulnerability to us.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/pull/2390","labels":["RUSTSEC-2025-0022"],"created_at":"2026-04-19T04:32:14.662553+00:00","updated_at":"2026-04-19T04:32:14.662553+00:00"},{"id":914,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.9.7","fixed_version":"0.10.48","bug_id":"osv:GHSA-3gxf-9r58-2ghg","title":"`openssl` `X509NameBuilder::build` returned object is not thread safe","description":"OpenSSL has a `modified` bit that it can set on on `X509_NAME` objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.\n\nThanks to David Benjamin (Google) for reporting this issue.\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/sfackler/rust-openssl/pull/1854","labels":["RUSTSEC-2023-0022"],"created_at":"2026-04-19T04:32:14.662048+00:00","updated_at":"2026-04-19T04:32:14.662048+00:00"},{"id":921,"ecosystem":"cargo","package_name":"openssl","affected_version":"0.10.8","fixed_version":"0.10.9","bug_id":"osv:GHSA-xjxc-vfw2-cg96","title":"Use after free in openssl","description":"An issue was discovered in the openssl crate before 0.10.9 for Rust. A use-after-free occurs in CMS Signing.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20997","labels":["CVE-2018-20997","RUSTSEC-2018-0010"],"created_at":"2026-04-19T04:32:14.665124+00:00","updated_at":"2026-04-19T04:32:14.665124+00:00"}],"total":20,"_cache":"miss"}