Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2015-1855 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Ruby Universal components / Libraries / Scripting languages |
Vendor | Ruby |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU35016
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-1855
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
MitigationInstall update from vendor's website.
Vulnerable software versionsRuby: 2.2.0 - 2.2.1
External linkshttp://www.debian.org/security/2015/dsa-3245
http://www.debian.org/security/2015/dsa-3246
http://www.debian.org/security/2015/dsa-3247
http://bugs.ruby-lang.org/issues/9644
http://puppetlabs.com/security/cve/cve-2015-1855
http://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.