Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: http
date: 2015-03-24
url: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU
cve: 2015-1828
title: HTTPS MitM vulnerability in http.rb
description: |
  http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification.
  Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.
cvss_v2: '5.0'
patched_versions:
- ">= 0.7.3"
- "~> 0.6.4"