CVE-2015-1855

MEDIUM

Description

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

References

http://www.debian.org/security/2015/dsa-3245

http://www.debian.org/security/2015/dsa-3246

http://www.debian.org/security/2015/dsa-3247

https://bugs.ruby-lang.org/issues/9644

https://puppetlabs.com/security/cve/cve-2015-1855

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Details

Source: MITRE

Published: 2019-11-29

Updated: 2019-12-17

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.9

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM