CVE-2007-5162 — Improper Authentication in Ruby

CWE-287 — Improper Authentication10 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 28.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedOct 1

Latest updateMay 1

Description

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.8.5, 1.8.6+1

Patches

Patch: svn.ruby-lang.org ↗Patch: svn.ruby-lang.org ↗Patch: svn.ruby-lang.org ↗

🔴Vulnerability Details

GHSA

GHSA-26pc-wx8w-v5vj: The connect method in lib/net/http↗2022-05-01

▶

CVEList

CVE-2007-5162: The connect method in lib/net/http↗2007-10-01

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2008-03-26

▶

Red Hat

net:: * modules↗2007-10-08

▶

Red Hat

Net: HTTP insufficient verification of SSL certificate↗2007-09-27

▶

💬Community

Bugzilla

CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules↗2007-11-01

▶

Bugzilla

CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate [FC6]↗2007-10-01

▶

Bugzilla

CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate↗2007-10-01

▶

Bugzilla

CVE-2007-5162 ruby Net:HTTP insufficient verification of SSL certificate [F7]↗2007-10-01

▶