Описание
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby-oauth | fixed | 0.5.6-1 | experimental | package |
| ruby-oauth | unfixed | package |
Примечания
https://github.com/oauth-xx/oauth-ruby/issues/137
Likely minor issue since the package that exist is generated by ca-certificates
package and ca-certificates in the package dependency list. Hence even though the
package is vulnerable the problem do not exist in Debian unless the admin has
explicitly removed the file from the filesystem.
Fixing this vulnerability can cause a regression in the case the
admin has intentionally removed this file to not check certificates.
EPSS
Связанные уязвимости
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
Improper Certificate Validation in oauth ruby gem
EPSS