x509-validation does not enforce pathLenConstraint
x509-validation prior to version 1.4.8 did not enforce the pathLenConstraint value. Constrained CAs could accidentally (or deliberately) issue CAs below the maximum depth and x509-validation would accept certificates issued by the unauthorised intermediate CAs.
Info
- Published
- July 19, 2023
- Modified
- July 19, 2023
- CAPECs
- < none >
- CWEs
- 295
- Keywords
- x509, pki, historical
- Aliases
- < none >
- Related
- < none >
- References
- [FIX] https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e
Affected
x509-validation
- CVSS
- CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
- Versions
>=1.4.0 && <1.4.8- Declarations
- < none >