CVE-2009-0642
published 2009-02-20CVE-2009-0642: ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to…
PriorityP428medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
2.64%
83.7th percentile
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2009-07-20·CVSS 6.8
CVE-2009-0642 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby vulnerabilities
It was discovered that Ruby did not properly validate certificates. An
attacker could exploit this and present invalid or revoked X.509
certificates. (CVE-2009-0642)
It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. (CVE-2009-1904)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
ruby: Incorrect checks for validity of X.509 certificates
vendor_redhat·2009-01-29·CVSS 6.8
CVE-2009-0642 [MEDIUM] ruby: Incorrect checks for validity of X.509 certificates
ruby: Incorrect checks for validity of X.509 certificates
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.
GHSA
GHSA-4gvm-4mw2-9fpv: ext/openssl/ossl_ocsp
ghsa_unreviewed·2022-05-02
CVE-2009-0642 [MEDIUM] CWE-287 GHSA-4gvm-4mw2-9fpv: ext/openssl/ossl_ocsp
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate.
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528http://redmine.ruby-lang.org/issues/show/1091http://secunia.com/advisories/33750http://secunia.com/advisories/35699http://secunia.com/advisories/35937http://www.mandriva.com/security/advisories?name=MDVSA-2009:193http://www.redhat.com/support/errata/RHSA-2009-1140.htmlhttp://www.securityfocus.com/bid/33769http://www.securitytracker.com/id?1022505http://www.ubuntu.com/usn/USN-805-1https://exchange.xforce.ibmcloud.com/vulnerabilities/48761https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11450http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528http://redmine.ruby-lang.org/issues/show/1091http://secunia.com/advisories/33750http://secunia.com/advisories/35699http://secunia.com/advisories/35937http://www.mandriva.com/security/advisories?name=MDVSA-2009:193http://www.redhat.com/support/errata/RHSA-2009-1140.htmlhttp://www.securityfocus.com/bid/33769http://www.securitytracker.com/id?1022505http://www.ubuntu.com/usn/USN-805-1https://exchange.xforce.ibmcloud.com/vulnerabilities/48761https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11450
2009-02-20
Published