Vulnerability Details CVE-2015-1855
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.027
EPSS Ranking 85.5%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- http://www.debian.org/security/2015/dsa-3245
- http://www.debian.org/security/2015/dsa-3246
- http://www.debian.org/security/2015/dsa-3247
- https://bugs.ruby-lang.org/issues/9644
- https://puppetlabs.com/security/cve/cve-2015-1855
- https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
- http://www.debian.org/security/2015/dsa-3245
- http://www.debian.org/security/2015/dsa-3246
- http://www.debian.org/security/2015/dsa-3247
- https://bugs.ruby-lang.org/issues/9644
- https://puppetlabs.com/security/cve/cve-2015-1855
- https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
Products affected by CVE-2015-1855
-
cpe:2.3:a:puppet:puppet_agent:1.0.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.0.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.0.1
-
cpe:2.3:a:puppet:puppet_enterprise:3.1.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.1.1
-
cpe:2.3:a:puppet:puppet_enterprise:3.1.2
-
cpe:2.3:a:puppet:puppet_enterprise:3.1.3
-
cpe:2.3:a:puppet:puppet_enterprise:3.2.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.2.1
-
cpe:2.3:a:puppet:puppet_enterprise:3.2.2
-
cpe:2.3:a:puppet:puppet_enterprise:3.2.3
-
cpe:2.3:a:puppet:puppet_enterprise:3.3.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.3.1
-
cpe:2.3:a:puppet:puppet_enterprise:3.3.2
-
cpe:2.3:a:puppet:puppet_enterprise:3.7.0
-
cpe:2.3:a:puppet:puppet_enterprise:3.7.1
-
cpe:2.3:a:puppet:puppet_enterprise:3.7.2
-
cpe:2.3:a:ruby-lang:ruby:2.0.0
-
cpe:2.3:a:ruby-lang:ruby:2.1.0
-
cpe:2.3:a:ruby-lang:ruby:2.1.1
-
cpe:2.3:a:ruby-lang:ruby:2.1.2
-
cpe:2.3:a:ruby-lang:ruby:2.1.3
-
cpe:2.3:a:ruby-lang:ruby:2.1.4
-
cpe:2.3:a:ruby-lang:ruby:2.1.5
-
cpe:2.3:a:ruby-lang:ruby:2.2.0
-
cpe:2.3:a:ruby-lang:ruby:2.2.1
-
cpe:2.3:a:ruby-lang:trunk:-
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0