Contents

---
engine: ruby
cve: 2007-5162
url: https://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability/
title: Ruby Net::HTTPS library does not validate server certificate CN
date: 2007-09-27
description: |
  The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS
  libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN)
  field in a server certificate matches the domain name in an HTTPS request,
  which makes it easier for remote attackers to intercept SSL transmissions via
  a man-in-the-middle attack or spoofed web site.
cvss_v2: 4.3
patched_versions:
  - ~> 1.8.5.114
  - ">= 1.8.6.111"

Version data entries

6 entries across 6 versions & 2 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml
bundler-budit-0.6.2	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml
bundler-budit-0.6.1	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml
bundler-audit-0.6.1	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml
bundler-audit-0.6.0	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml
bundler-audit-0.5.0	data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml