Description

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Remediation

References

CVE-2013-4073

Related Vulnerabilities

Joomla Improper Input Validation Vulnerability (CVE-2013-3242)

WordPress Plugin FireStorm Professional Real Estate 'id' Parameter SQL Injection (2.06.03)

WordPress Plugin Lightbox Gallery Cross-Site Scripting (0.9.4)

WordPress 3.7.x Multiple Vulnerabilities (3.7 - 3.7.27)

Mailman Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-3089)

Severity

Medium

Classification

CVE-2013-4073

Tags

Missing Update Known Vulnerabilities