CVE-2015-1855

Summary

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Affected Software

VendorProductVersion RangeStatus
RubyRubybefore 2.0.0 patchlevel 645affected
RubyRuby2.1.x before 2.1.6affected
RubyRubyand 2.2.x before 2.2.2affected

Weaknesses

  • Other

ADP Enrichment

CVE Program Container

Additional References

References