Unrated severityNVD Advisory· Published Nov 29, 2019· Updated Aug 6, 2024
CVE-2015-1855
CVE-2015-1855
Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:rpm/opensuse/ruby2.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby2.3&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ruby19&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/ruby&distro=SUSE%20Lifecycle%20Management%20Server%201.3pkg:rpm/suse/ruby&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ruby&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ruby&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ruby&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/ruby&distro=SUSE%20WebYast%201.3
< 2.2.5-1.5+ 17 more
- (no CPE)range: < 2.2.5-1.5
- (no CPE)range: < 2.3.1-1.6
- (no CPE)range: < 1.9.3.p392-0.23.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 2.1.9-15.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
- (no CPE)range: < 1.8.7.p357-0.9.19.1
Patches
Vulnerability mechanics
References
6- www.debian.org/security/2015/dsa-3245mitrex_refsource_MISC
- www.debian.org/security/2015/dsa-3246mitrex_refsource_MISC
- www.debian.org/security/2015/dsa-3247mitrex_refsource_MISC
- bugs.ruby-lang.org/issues/9644mitrex_refsource_MISC
- puppetlabs.com/security/cve/cve-2015-1855mitrex_refsource_MISC
- www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.