Vulnerability Description
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Ruby | 1.8.5 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/26985
- http://secunia.com/advisories/27044
- http://secunia.com/advisories/27432
- http://secunia.com/advisories/27576
- http://secunia.com/advisories/27673
- http://secunia.com/advisories/27756
- http://secunia.com/advisories/27764
- http://secunia.com/advisories/27769
- http://secunia.com/advisories/27818
- http://secunia.com/advisories/28645
- http://secunia.com/advisories/29556
- http://securityreason.com/securityalert/3180
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499Patch
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500Patch
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502Patch
FAQ
What is CVE-2007-5162?
CVE-2007-5162 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domai...
How severe is CVE-2007-5162?
CVE-2007-5162 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-5162?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Ruby.