Vulnerability Details : CVE-2015-1855
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Vulnerability category: Input validation
Products affected by CVE-2015-1855
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p195:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p598:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p643:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p481:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p576:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p594:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p247:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p353:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p0:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:p451:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:ruby:2.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:ruby-lang:trunk:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_agent:1.0.0:*:*:*:*:*:*:*
Threat overview for CVE-2015-1855
Top countries where our scanners detected CVE-2015-1855
Top open port discovered on systems with this issue
80
IPs affected by CVE-2015-1855 1,944
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-1855!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-1855
2.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1855
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2015-1855
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1855
-
https://bugs.ruby-lang.org/issues/9644
Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much - Ruby master - Ruby Issue Tracking SystemThird Party Advisory
-
http://www.debian.org/security/2015/dsa-3246
Debian -- Security Information -- DSA-3246-1 ruby1.9.1Third Party Advisory
-
https://puppetlabs.com/security/cve/cve-2015-1855
CVE-2015-1855 - Ruby OpenSSL Hostname Verification | Puppet.comThird Party Advisory
-
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855: Ruby OpenSSL Hostname VerificationVendor Advisory
-
http://www.debian.org/security/2015/dsa-3247
Debian -- Security Information -- DSA-3247-1 ruby2.1Third Party Advisory
-
http://www.debian.org/security/2015/dsa-3245
Debian -- Security Information -- DSA-3245-1 ruby1.8Third Party Advisory
Jump to