CVE-2016-10931

In the openssl crate (Rust bindings) before version 0.9.0, TLS certificate verification was disabled by default and the API lacked hostname verification functionality. This means that without explicit configuration, SSL/TLS connections would not validate the authenticity of the server's certificate [1][3].

An attacker with network access could intercept the communication by presenting any arbitrary certificate, which the client would accept. The vulnerability is a classic man-in-the-middle due to insecure defaults. No authentication or special privileges are required beyond network position [3].

Successful exploitation allows the attacker to decrypt and read or modify the encrypted traffic, compromising confidentiality and integrity of data transmitted over TLS. The RustSec advisory rates this as HIGH severity (CVSS 8.1) [3].

The issue is fixed in version 0.9.0 of the openssl crate. Users should upgrade to 0.9.0 or later. The release notes for 0.9.0 detail major changes, including addressing these insecure defaults [2][4].