CVE-2015-1855

Sažetak

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Reference

https://bugs.ruby-lang.org/issues/9644
http://www.debian.org/security/2015/dsa-3246
http://www.debian.org/security/2015/dsa-3247
https://puppetlabs.com/security/cve/cve-2015-1855
http://www.debian.org/security/2015/dsa-3245
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

30-09-2020 - 12:27

Objavljeno

29-11-2019 - 21:15