First published: Thu Sep 27 2007(Updated: )
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ruby | <0:1.8.5-5.el5_1.1 | 0:1.8.5-5.el5_1.1 |
Ruby | =1.8.5 | |
Ruby | =1.8.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2007-5162 has a medium severity rating due to its potential to allow remote attackers to intercept SSL transmissions.
To fix CVE-2007-5162, update Ruby to version 1.8.7 or later, which includes proper certificate validation.
CVE-2007-5162 affects Ruby versions 1.8.5 and 1.8.6.
The connect method in the Net::HTTP and Net::HTTPS libraries is vulnerable according to CVE-2007-5162.
CVE-2007-5162 is not classified as critical, but it poses security risks that should be addressed promptly.