CVE-2007-5770 — Improper Authentication in Ruby

CWE-287 — Improper Authentication6 documents6 sources

Severity

5.0MEDIUMNVD

CNA4.3

EPSS

7.7%

top 8.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby

Timeline

PublishedNov 14

Latest updateMay 1

Description

The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDruby-lang/ruby1.8.5, 1.8.6+1

Patches

Patch: secunia.com ↗Patch: www.redhat.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

GHSA

GHSA-mf83-c25g-48r6: The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1↗2022-05-01

▶

CVEList

CVE-2007-5770: The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1↗2007-11-14

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2008-03-26

▶

Red Hat

net:: * modules↗2007-10-08

▶

💬Community

Bugzilla

CVE-2007-5770 ruby insufficient verification of SSL certificate in various net::* modules↗2007-11-01

▶