verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
References
Link | Resource |
---|---|
https://bugs.ruby-lang.org/issues/9644 | Third Party Advisory |
http://www.debian.org/security/2015/dsa-3246 | Third Party Advisory |
http://www.debian.org/security/2015/dsa-3247 | Third Party Advisory |
https://puppetlabs.com/security/cve/cve-2015-1855 | Third Party Advisory |
http://www.debian.org/security/2015/dsa-3245 | Third Party Advisory |
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Information
Published : 2019-11-29 13:15
Updated : 2020-09-30 05:27
NVD link : CVE-2015-1855
Mitre link : CVE-2015-1855
JSON object : View
CWE
CWE-20
Improper Input Validation
Products Affected
ruby-lang
- ruby
- trunk
debian
- debian_linux
puppet
- puppet_enterprise
- puppet_agent