Описание
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
It was discovered that the Ruby OpenSSL extension was overly permissive when verifying host names against X.509 certificate names with wildcards. This could cause Ruby TLS/SSL clients to accept certain certificates as valid, which is a violation of the RFC 6125 recommendations.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5.2 | ruby193-ruby | Affected | ||
| Red Hat Enterprise Linux 5 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 6 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 7 | ruby | Will not fix | ||
| Red Hat OpenStack Platform 4 | ruby193-ruby | Will not fix | ||
| Red Hat Software Collections | rh-ruby22-ruby | Not affected | ||
| Red Hat Software Collections | ruby193-ruby | Will not fix | ||
| Red Hat Software Collections | ruby200-ruby | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-ruby | Affected |
Показывать по
Дополнительная информация
Статус:
4 Medium
CVSS2
Связанные уязвимости
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
verify_certificate_identity in the OpenSSL extension in Ruby before 2. ...
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Уязвимость интерпретатора Ruby, позволяющая нарушителю подменить SSL-сервер
4 Medium
CVSS2