[advisory]
id = "HSEC-2023-0006"
cwe = [295]
keywords = ["x509", "pki", "historical"]

[[affected]]
package = "x509-validation"
cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"

[[affected.versions]]
introduced = "1.4.0"
fixed = "1.4.8"

[[references]]
type = "FIX"
url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e"

x509-validation does not enforce pathLenConstraint

x509-validation prior to version 1.4.8 did not enforce the pathLenConstraint value. Constrained CAs could accidentally (or deliberately) issue CAs below the maximum depth and x509-validation would accept certificates issued by the unauthorised intermediate CAs.