#VU35016 Input validation error in Ruby


Published: 2019-11-29 | Updated: 2020-08-08

Vulnerability identifier: #VU35016

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-1855

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ruby: 2.2.0 - 2.2.1

External links
http://www.debian.org/security/2015/dsa-3245
http://www.debian.org/security/2015/dsa-3246
http://www.debian.org/security/2015/dsa-3247
http://bugs.ruby-lang.org/issues/9644
http://puppetlabs.com/security/cve/cve-2015-1855
http://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in Ruby
Amazon Linux AMI update for ruby22
Amazon Linux AMI update for ruby21
Amazon Linux AMI update for ruby20
Amazon Linux AMI update for ruby19
Amazon Linux AMI update for ruby18