CVE-2007-5162
First published: Thu Sep 27 2007(Updated: )
The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ruby | <0:1.8.5-5.el5_1.1 | 0:1.8.5-5.el5_1.1 |
| Ruby | =1.8.5 | |
| Ruby | =1.8.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.isecpartners.com/advisories/2007-006-rubyssl.txt
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504
- http://www.securityfocus.com/bid/25847
- https://bugzilla.redhat.com/show_bug.cgi?id=313791
- http://www.debian.org/security/2007/dsa-1410
- http://www.debian.org/security/2007/dsa-1411
- http://www.debian.org/security/2007/dsa-1412
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html
- http://www.redhat.com/support/errata/RHSA-2007-0961.html
- http://www.redhat.com/support/errata/RHSA-2007-0965.html
- http://www.novell.com/linux/security/advisories/2007_24_sr.html
- http://secunia.com/advisories/26985
- http://secunia.com/advisories/27044
- http://secunia.com/advisories/27432
- http://secunia.com/advisories/27576
- http://secunia.com/advisories/27673
- http://secunia.com/advisories/27764
- http://secunia.com/advisories/27769
- http://secunia.com/advisories/27818
- http://securityreason.com/securityalert/3180
- http://secunia.com/advisories/27756
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:029
- http://secunia.com/advisories/28645
- http://www.ubuntu.com/usn/usn-596-1
- http://secunia.com/advisories/29556
- http://www.vupen.com/english/advisories/2007/3340
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36861
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10738
- http://www.securityfocus.com/archive/1/483577/100/0/threaded
- http://www.securityfocus.com/archive/1/480987/100/0/threaded
- https://access.redhat.com/security/cve/CVE-2007-5162
- http://www.securityfocus.com/archive/1/480987
- http://rhn.redhat.com/errata/RHSA-2007-0965.html
- http://rhn.redhat.com/errata/RHSA-2007-0961.html
- https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2406
- https://bugzilla.redhat.com/show_bug.cgi?id=313691
- https://www.cve.org/CVERecord?id=CVE-2007-5162 https://nvd.nist.gov/vuln/detail/CVE-2007-5162
- https://access.redhat.com/errata/RHSA-2007:0961
- https://access.redhat.com/errata/RHSA-2007:0965
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-5162.json
Frequently Asked Questions
What is the severity of CVE-2007-5162?
CVE-2007-5162 has a medium severity rating due to its potential to allow remote attackers to intercept SSL transmissions.
How do I fix CVE-2007-5162?
To fix CVE-2007-5162, update Ruby to version 1.8.7 or later, which includes proper certificate validation.
What versions of Ruby are affected by CVE-2007-5162?
CVE-2007-5162 affects Ruby versions 1.8.5 and 1.8.6.
What specific method in Ruby is vulnerable according to CVE-2007-5162?
The connect method in the Net::HTTP and Net::HTTPS libraries is vulnerable according to CVE-2007-5162.
Is CVE-2007-5162 a critical vulnerability?
CVE-2007-5162 is not classified as critical, but it poses security risks that should be addressed promptly.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2007-5162
- collector/redhat-cve
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- package-manager/redhat
- vendor/ruby-lang
- canonical/ruby
- version/ruby/1.8.5
- version/ruby/1.8.6