Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-72qj-48g4-5xgx

Опубликовано: 07 мая 2025
Источник: github
Github: Прошло ревью
CVSS4: 5.7

Описание

JRuby-OpenSSL has hostname verification disabled by default

Summary

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Пакеты

Наименование

rubygems:jruby-openssl

maven
Затронутые версииВерсия исправления

>= 0.12.1, < 0.15.4

0.15.4

Наименование

org.jruby:jruby

maven
Затронутые версииВерсия исправления

>= 10.0.0.0, < 10.0.0.1

10.0.0.1

Наименование

org.jruby:jruby

maven
Затронутые версииВерсия исправления

>= 9.3.4.0, < 9.4.12.1

9.4.12.1

EPSS

Процентиль: 8%
0.00034
Низкий

5.7 Medium

CVSS4

Дефекты

CWE-295
CWE-297

Связанные уязвимости

ubuntu
4 месяца назад

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.

CVSS3: 6.5
redhat
4 месяца назад

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.

nvd
4 месяца назад

JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.

EPSS

Процентиль: 8%
0.00034
Низкий

5.7 Medium

CVSS4

Дефекты

CWE-295
CWE-297