verify_certificate_identity in the OpenSSL extension in Ruby prior to 2.0.0 patchlevel 645, 2.1.x prior to 2.1.6, and 2.2.x prior to 2.2.2 does not properly validate hostnames, which allows remote malicious users to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ruby-lang ruby 2.0.0 |
||
ruby-lang trunk |
||
ruby-lang ruby |
||
debian debian linux 8.0 |
||
debian debian linux 7.0 |
||
debian debian linux 9.0 |
||
puppet puppet enterprise |
||
puppet puppet agent 1.0.0 |