CVE-2015-1855
Summary
| CVE | CVE-2015-1855 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-11-29 21:15:00 UTC |
| Updated | 2020-09-30 12:27:00 UTC |
| Description | verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Puppet | Puppet Agent | 1.0.0 | All | All | All |
| Application | Puppet | Puppet Agent | 1.0.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | All | All | All | All |
| Application | Puppet | Puppet Enterprise | All | All | All | All |
| Application | Ruby-lang | Ruby | All | All | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | - | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p0 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p195 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p247 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p353 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p451 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p481 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p576 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p594 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p598 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p643 | All | All |
| Application | Ruby-lang | Ruby | All | All | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | - | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p0 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p195 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p247 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p353 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p451 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p481 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p576 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p594 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p598 | All | All |
| Application | Ruby-lang | Ruby | 2.0.0 | p643 | All | All |
| Application | Ruby-lang | Trunk | All | All | All | All |
| Application | Ruby-lang | Trunk | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-3246-1 ruby1.9.1 | MISC | www.debian.org | Third Party Advisory |
| CVE-2015-1855: Ruby OpenSSL Hostname Verification | MISC | www.ruby-lang.org | Vendor Advisory |
| CVE-2015-1855 | Puppet Labs | MISC | puppetlabs.com | Third Party Advisory |
| Debian -- Security Information -- DSA-3247-1 ruby2.1 | MISC | www.debian.org | Third Party Advisory |
| Debian -- Security Information -- DSA-3245-1 ruby1.8 | MISC | www.debian.org | Third Party Advisory |
| Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much - Ruby trunk - Ruby Issue Tracking System | MISC | bugs.ruby-lang.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.