CVE-2015-1855

Published: 11/29/2019 Last updated: 8/6/2024 Reserved: 2/17/2015

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Opam packages affected (1)

conf-ruby

Products affected (1)

Product	Vendor	Version
Ruby	Ruby	< 6.0.6003.21167

References (12)

http://www.debian.org/security/2015/dsa-3247
http://www.debian.org/security/2015/dsa-3245
http://www.debian.org/security/2015/dsa-3246
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
https://puppetlabs.com/security/cve/cve-2015-1855
https://bugs.ruby-lang.org/issues/9644
http://www.debian.org/security/2015/dsa-3247
http://www.debian.org/security/2015/dsa-3245
http://www.debian.org/security/2015/dsa-3246
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
https://puppetlabs.com/security/cve/cve-2015-1855
https://bugs.ruby-lang.org/issues/9644