CVE-2015-1855

medium

Description

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

References

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

https://puppetlabs.com/security/cve/cve-2015-1855

https://bugs.ruby-lang.org/issues/9644

http://www.debian.org/security/2015/dsa-3247

http://www.debian.org/security/2015/dsa-3246

http://www.debian.org/security/2015/dsa-3245

Details

Source: Mitre, NVD

Published: 2019-11-29

Updated: 2020-09-30

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: Medium