#VU35016 Input validation error in Ruby - CVE-2015-1855


| Updated: 2020-08-08

Vulnerability identifier: #VU35016

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-1855

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ruby: 2.2.0 - 2.2.1

External links
https://www.debian.org/security/2015/dsa-3245
https://www.debian.org/security/2015/dsa-3246
https://www.debian.org/security/2015/dsa-3247
https://bugs.ruby-lang.org/issues/9644
https://puppetlabs.com/security/cve/cve-2015-1855
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in Ruby
Amazon Linux AMI update for ruby22
Amazon Linux AMI update for ruby21
Amazon Linux AMI update for ruby20
Amazon Linux AMI update for ruby19
Amazon Linux AMI update for ruby18
Fedora 22 update for ruby
Fedora 21 update for ruby