RubySec

Providing security resources for the Ruby community

CVE-2015-1828 (http): HTTPS MitM vulnerability in http.rb

ADVISORIES

GEM

http

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 0.7.3
  • ~> 0.6.4

DESCRIPTION

http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.