verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
http://www.debian.org/security/2015/dsa-3245
http://www.debian.org/security/2015/dsa-3246
http://www.debian.org/security/2015/dsa-3247
https://bugs.ruby-lang.org/issues/9644
https://puppetlabs.com/security/cve/cve-2015-1855
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
Source: MITRE
Published: 2019-11-29
Updated: 2019-12-17
Type: CWE-20
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 5.9
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Impact Score: 3.6
Exploitability Score: 2.2
Severity: MEDIUM