AZL-26812

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26812.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-26812

Upstream

CVE-2023-28321

Published

2023-05-26T21:15:16Z

Modified

2026-04-01T05:08:31.670453Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2023-28321 affecting package rust for versions less than 1.72.0-2

Details

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-28321

Affected packages

Azure Linux:2 / rust

Package

Name: rust
Purl: pkg:rpm/azure-linux/rust

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.72.0-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26812.json"