5.9

CVE-2015-1855

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Data is provided by the National Vulnerability Database (NVD)
Ruby-langRuby Version >= 2.1.0 < 2.1.6
Ruby-langRuby Version >= 2.2.0 < 2.2.2
Ruby-langRuby Version2.0.0 Update-
Ruby-langRuby Version2.0.0 Updatep0
Ruby-langRuby Version2.0.0 Updatep195
Ruby-langRuby Version2.0.0 Updatep247
Ruby-langRuby Version2.0.0 Updatep353
Ruby-langRuby Version2.0.0 Updatep451
Ruby-langRuby Version2.0.0 Updatep481
Ruby-langRuby Version2.0.0 Updatep576
Ruby-langRuby Version2.0.0 Updatep594
Ruby-langRuby Version2.0.0 Updatep598
Ruby-langRuby Version2.0.0 Updatep643
Ruby-langTrunk Version < 50292
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
PuppetPuppet Agent Version1.0.0
PuppetPuppet Enterprise Version >= 3.0.0 < 3.8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.72% 0.854
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.