Description

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Remediation

References

CVE-2015-1855

Related Vulnerabilities

Apache HTTP Server Other Vulnerability (CVE-2006-4154)

PHP Improper Input Validation Vulnerability (CVE-2006-7243)

PHP Numeric Errors Vulnerability (CVE-2010-4645)

Django Improper Input Validation Vulnerability (CVE-2019-3498)

WordPress Plugin LifterLMS-WP LMS for eLearning, Online Courses, & Quizzes Security Bypass (4.21.1)

Severity

Medium

Classification

CVE-2015-1855 CWE-20 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities