CVE-2015-1855 Information
Feb 14, 2021
cve
Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645 2.1.x before 2.1.6 and 2.2.x before 2.2.2 does not properly validate hostnames which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards (1) wildcards in IDNA names (3) case sensitivity and (4) non-ASCII characters.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Reference
http://www.debian.org/security/2015/dsa-3245 http://www.debian.org/security/2015/dsa-3246 http://www.debian.org/security/2015/dsa-3247 https://bugs.ruby-lang.org/issues/9644 https://puppetlabs.com/security/cve/cve-2015-1855 https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
NONE
Base Severity
5.9
Share on: