Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-5162

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2007-5162
Last Modified 07 Mar 2011 10:00:11
Published 01 Oct 2007 01:17:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2007-5162

Summary

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

Vulnerable Systems

Application

  • Ruby-lang Ruby 1.8.5

  • Ruby-lang Ruby 1.8.6


References

BID - 25847

CONFIRM - http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504

CONFIRM - http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502

CONFIRM - http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500

CONFIRM - http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499

FEDORA - FEDORA-2007-2685

FEDORA - FEDORA-2007-2406

FEDORA - FEDORA-2007-718

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=313791

XF - ruby-nethttps-mitm(36861)

XF - ruby-nethttps-weak-security(36861)

VUPEN - ADV-2007-3340

BUGTRAQ - 20071112 FLEA-2007-0068-1 ruby

BUGTRAQ - 20070927 Ruby Net::HTTPS library does not validate server certificate CN

REDHAT - RHSA-2007:0965

REDHAT - RHSA-2007:0961

SUSE - SUSE-SR:2007:024

MANDRIVA - MDVSA-2008:029

MISC - http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

DEBIAN - DSA-1412

DEBIAN - DSA-1411

DEBIAN - DSA-1410

SREASON - 3180

SECUNIA - 28645

SECUNIA - 27818

SECUNIA - 27769

SECUNIA - 27764

SECUNIA - 27756

SECUNIA - 27673

SECUNIA - 27576

SECUNIA - 27432

SECUNIA - 27044

SECUNIA - 26985

UBUNTU - USN-596-1

SECUNIA - 29556


Last Updated: 27 May 2016 10:46:06