[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2007-5162Date: (C)2007-10-01   (M)2023-12-22


The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
http://www.securityfocus.com/archive/1/480987/100/0/threaded
http://www.securityfocus.com/archive/1/483577/100/0/threaded
BID-25847
SECUNIA-26985
SECUNIA-27044
SECUNIA-27432
SECUNIA-27576
SECUNIA-27673
SECUNIA-27756
SECUNIA-27764
SECUNIA-27769
SECUNIA-27818
SECUNIA-28645
SECUNIA-29556
SREASON-3180
ADV-2007-3340
DSA-1410
DSA-1411
DSA-1412
FEDORA-2007-2406
FEDORA-2007-2685
FEDORA-2007-718
MDVSA-2008:029
RHSA-2007:0961
RHSA-2007:0965
SUSE-SR:2007:024
USN-596-1
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
https://bugzilla.redhat.com/show_bug.cgi?id=313791
oval:org.mitre.oval:def:10738
ruby-nethttps-mitm(36861)

CWE    1
CWE-287
OVAL    1
oval:org.secpod.oval:def:301337

© SecPod Technologies