ADVISORIES

• CVE-2015-1828 (NVD)
• GHSA-6wpv-cj6x-v3jw
• OSVDB-119927
• Vendor Advisory

GEM

http

SEVERITY

CVSS v3.x: 5.9 (Medium)

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

• >= 0.7.3
• ~> 0.6.4

DESCRIPTION

http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.