HTTPS MitM vulnerability in http.rb
Published: March 24, 2015
SECURITY IDENTIFIERS
- CVE: CVE-2015-1828 (NVD)
- GHSA: GHSA-6wpv-cj6x-v3jw
- OSVDB: OSVDB-119927
- Vendor Advisory: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU
GEM
SEVERITY
PATCHED VERSIONS
>= 0.7.3
~> 0.6.4
DESCRIPTION
http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.