Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
- Attack Vector
- network
- Complexity
- high
- Privileges
- none
- User Action
- none
- Scope
- unchanged
- Confidentiality
- none
- Integrity
- high
- Availability
- none
- Weaknesses
- CWE-20
Metadata
- Primary Vendor
- RUBY-LANG
- Published
- 11/29/2019
- Last Modified
- 11/21/2024
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
ruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : rubyruby-lang : trunkdebian : debian_linuxdebian : debian_linuxdebian : debian_linuxpuppet : puppet_agentpuppet : puppet_enterprise
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.