GHSA-f5v5-ccqc-6w36: 
Rust vulnerability analysis and mitigation

The NATS official Rust clients (async-nats package) were found vulnerable to Man-in-the-Middle (MitM) attacks when using TLS. The vulnerability was discovered and reported on March 24, 2023, and affects versions prior to 0.29.0. The issue lies in the TLS certificate common name validation process, where the certificate's common name is validated against the hostname provided by the server's plaintext INFO message during the initial connection setup phase (RustSec Advisory, GitHub Advisory).

The vulnerability stems from the way the TLS certificate validation is performed. During the connection setup, the client validates the server's TLS certificate common name against a hostname received in a plaintext INFO message. This implementation flaw allows a malicious proxy to manipulate the host field value in the INFO message, substituting it with the common name of a valid certificate under their control. The rustls library then accepts this certificate after verifying that the common name matches the attacker-controlled value (RustSec Advisory).

The vulnerability enables Man-in-the-Middle attacks against TLS-protected connections. An attacker can intercept the connection and fool the client into accepting a malicious certificate, potentially compromising the confidentiality and integrity of the communication between the client and the NATS server (GitHub Advisory).

The vulnerability has been patched in version 0.29.0 of the async-nats package. Users are strongly advised to upgrade to this version or later. The fix involves changes to the TLS connection validation process to prevent the acceptance of attacker-controlled certificate validation parameters (GitHub Advisory).