Vulnerability CVE-2007-5162: Information

Description

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

Severity: MEDIUM (4.3)

URL: https://nvd.nist.gov/vuln/detail/CVE-2007-5162

Published: Oct. 1, 2007

Modified: Oct. 16, 2018

Error type identifier: CWE-287

References to Advisories, Solutions, and Tools

Hyperlink	Resource
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499	Patch
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500	Patch
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502	Patch
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504	Patch
25847	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=313791
DSA-1410
DSA-1411
DSA-1412
FEDORA-2007-2406
FEDORA-2007-718
FEDORA-2007-2685
RHSA-2007:0961
RHSA-2007:0965
SUSE-SR:2007:024
26985
27044
27432
27576
27673
27764
27769
27818
3180
27756
MDVSA-2008:029
28645
USN-596-1
29556
ADV-2007-3340
ruby-nethttps-mitm(36861)
oval:org.mitre.oval:def:10738
20071112 FLEA-2007-0068-1 ruby
20070927 Ruby Net::HTTPS library does not validate server certificate CN

Affected configurations:
1. Configuration 1
  cpe:2.3:a:ruby-lang:ruby:1.8.5:*:*:*:*:*:*:*
  cpe:2.3:a:ruby-lang:ruby:1.8.6:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2007-5162: Information

Description

References to Advisories, Solutions, and Tools

Configuration 1