{"id":"RUSTSEC-2016-0002","summary":"HTTPS MitM vulnerability due to lack of hostname verification","details":"When used on Windows platforms, all versions of Hyper prior to 0.9.4 did not\nperform hostname verification when making HTTPS requests.\n\nThis allows an attacker to perform MitM attacks by preventing any valid\nCA-issued certificate, even if there's a hostname mismatch.\n\nThe problem was addressed by leveraging rust-openssl's built-in support for\nhostname verification.","aliases":["CVE-2016-10932","GHSA-9xjr-m6f3-v5wm"],"modified":"2026-02-04T02:51:51.570285Z","published":"2016-05-09T12:00:00Z","related":["RUSTSEC-2016-0001"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hyper"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2016-0002.html"},{"type":"WEB","url":"https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v094-2016-05-09"}],"affected":[{"package":{"name":"hyper","ecosystem":"crates.io","purl":"pkg:cargo/hyper"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.9.4"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"arch":[],"os":["windows"]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2016-0002.json","cvss":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","categories":["crypto-failure"],"informational":null}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}