No validation of hostname certificate in net-ldap
Published: December 17, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2017-17718 (NVD)
- GHSA: GHSA-m7p8-9w66-9frm
- Vendor Advisory: https://github.com/ruby-ldap/ruby-net-ldap/issues/258
GEM
SEVERITY
CVSS v3.x: 5.9 (Medium)
PATCHED VERSIONS
>= 0.16.0
DESCRIPTION
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. The LDAP server's certificate was not verified to match the host it was supposed to be connecting to.