Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Other Vulnerability (CVE-2003-0189)
WordPress Plugin Calendar Unspecified Vulnerability (1.3.10)
WordPress Plugin Tickera-WordPress Event Ticketing Security Bypass (3.4.9.1)
Atlassian Jira Deserialization of Untrusted Data Vulnerability (CVE-2017-5983)
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-3436)