GHSA-82j2-j2ch-gfr8

ADVISORY - rustsec

Summary

A panic was reachable when parsing certificate revocation lists via [BorrowedCertRevocationList::from_der] or [OwnedCertRevocationList::from_der]. This was the result of mishandling a syntactically valid empty BIT STRING appearing in the onlySomeReasons element of a IssuingDistributionPoint CRL extension.

This panic is reachable prior to a CRL's signature being verified.

Applications that do not use CRLs are not affected.

Thank you to @tynus3 for the report.

Common Weakness Enumeration (CWE)

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.