Sha256: 4b278e049c991560cbf9d8973d6cb52bcdfb15398958aa372beff3fb4683c42f

Contents?: true

Size: 915 Bytes

Versions: 6

Compression:

Stored size: 915 Bytes

Contents

---
engine: ruby
cve: 2013-4073
osvdb: 94628
url: http://www.osvdb.org/show/osvdb/94628
title: Ruby SSL Client OpenSSL::SSL.verify_certificate_identity X.509 Certificate
  subjectAltName Field NULL Byte Handling MitM Spoofing Weakness
date: 2013-06-27
description: |
  Ruby SSL Client contains a flaw related to certificate validation in
  OpenSSL::SSL.verify_certificate_identity. The issue is due to the program not properly
  handling the subjectAltName field of the X.509 certificate when it contains NULL
  bytes. This may allow an attacker with access to network traffic (e.g. MiTM, DNS
  cache poisoning) to spoof the SSL server via an arbitrary certificate that appears
  valid. Such an attack would allow for the interception of sensitive traffic, and
  potentially allow for the injection of content into the SSL stream.
cvss_v2: 6.8
patched_versions:
  - ~> 1.8.7.373
  - ~> 1.9.3.447
  - ">= 2.0.0.246"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2013-4073.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml
bundler-audit-0.6.1 data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml
bundler-audit-0.6.0 data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml
bundler-audit-0.5.0 data/ruby-advisory-db/rubies/ruby/OSVDB-94628.yml