Lucene search

RubySecRUBY:RUBY-2009-0642

HistoryJan 28, 2009 - 9:00 p.m.

Ruby 'OCSP_basic_verify()' X.509 Certificate Verification Vulnerability

2009-01-2821:00:00

RubySec

bugs.debian.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the
return value from the OCSP_basic_verify function, which might allow remote
attackers to successfully present an invalid X.509 certificate, possibly
involving a revoked certificate.

Affected configurations

Vulners

Node

rubyrubyRange1.8.0–1.8.6.369

rubyrubyRange1.8.0–1.8.7.173

rubyrubyRange1.9.0–1.9.1.129

rubyrubyRange≤1.9.2.1

VendorProductVersionCPE
rubyruby*cpe:2.3:a:ruby:ruby:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	ruby	*	cpe:2.3:a:ruby:ruby::::::::

References

bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Related for RUBY:RUBY-2009-0642