Description

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Remediation

References

CVE-2015-1855

Related Vulnerabilities

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-7061)

WordPress Plugin PowerPress Podcasting by Blubrry Cross-Site Scripting (6.0)

Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-34008)

WordPress Plugin Listing, Classified Ads & Business Directory-uListing Arbitrary File Upload (1.2.1)

MediaWiki Other Vulnerability (CVE-2005-4031)

Severity

Medium

Classification

CVE-2015-1855 CWE-20 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities