verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
References
Link | Resource |
---|---|
http://www.debian.org/security/2015/dsa-3245 | Third Party Advisory |
http://www.debian.org/security/2015/dsa-3246 | Third Party Advisory |
http://www.debian.org/security/2015/dsa-3247 | Third Party Advisory |
https://bugs.ruby-lang.org/issues/9644 | Third Party Advisory |
https://puppetlabs.com/security/cve/cve-2015-1855 | Third Party Advisory |
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/ | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2019-11-29T20:46:48
Updated: 2019-11-29T20:46:48
Reserved: 2015-02-17T00:00:00
Link: CVE-2015-1855
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-11-29T21:15:10.807
Modified: 2020-09-30T12:27:21.570
Link: CVE-2015-1855
JSON object: View
Redhat Information
No data.
CWE