{"id":"HSEC-2023-0005","summary":"tls-extra: certificate validation does not check Basic Constraints","details":"# tls-extra: certificate validation does not check Basic Constraints\n\n*tls-extra* does not check the Basic Constraints extension of a\ncertificate in certificate chain processing.  Any certificate is\ntreated as a CA certificate.  As a consequence, anyone who has a\nvalid certificate can use it to sign another one (with an arbitrary\nsubject DN/domain name embedded into it) and have it accepted by\n*tls*.  This allows MITM attacks on TLS connections.\n","aliases":["CVE-2013-0243"],"modified":"2025-11-14T18:15:34.407551Z","published":"2025-11-14T14:45:34Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories"},"references":[{"type":"DISCUSSION","url":"https://www.openwall.com/lists/oss-security/2013/01/30/6"},{"type":"REPORT","url":"https://github.com/haskell-tls/hs-tls/issues/29"},{"type":"FIX","url":"https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37"}],"affected":[{"package":{"name":"tls-extra","ecosystem":"Hackage","purl":"pkg:hackage/tls-extra"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1.0"},{"fixed":"0.4.6.1"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.2.2","0.2.3","0.3.0","0.3.1","0.4.0","0.4.1","0.4.2","0.4.2.1","0.4.3","0.4.4","0.4.5","0.4.6"],"database_specific":{"human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0005.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0005.json","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0005.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}],"schema_version":"1.7.3"}