OSVDB-115090 (bundler): Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing

Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing

Published: February 12, 2013

SECURITY IDENTIFIERS

OSVDB: OSVDB-115090
Vendor Advisory: https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8

GEM

bundler

PATCHED VERSIONS

>= 1.3.0.pre.8

DESCRIPTION

Bundler Gem for Ruby contains a flaw as SSL certificates are not properly validated. By spoofing the SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.

https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8
https://my.diffend.io/gems/bundler/1.3.0.pre.7/1.3.0.pre.8
https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8
http://www.osvdb.org/show/osvdb/115090

RubySec

OSVDB-115090 (bundler): Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing

Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing

SECURITY IDENTIFIERS

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories