CVE-2015-1855

Name
CVE-2015-1855
Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://bugs.ruby-lang.org/issues/9644
Third Party Advisory http://www.debian.org/security/2015/dsa-3246
Third Party Advisory http://www.debian.org/security/2015/dsa-3247
Third Party Advisory https://puppetlabs.com/security/cve/cve-2015-1855
Third Party Advisory http://www.debian.org/security/2015/dsa-3245
Vendor Advisory https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ruby-lang:ruby:2.0.0:-:*:*:*:*:*:* ruby == None == 2.0.0
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= 2.1.0 < 2.1.6
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* ruby >= 2.2.0 < 2.2.2
cpe:2.3:a:ruby-lang:trunk:*:*:*:*:*:*:*:* trunk >= None < 50292

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
trunk edge-community 0.20.2-r0 Matthias Ahouansou <matthias@ahouansou.cz> possibly vulnerable