github - GHSA-m7p8-9w66-9frm

GHSA-m7p8-9w66-9frm

Vulnerability from github

Published

2018-01-06 01:11

Modified

2023-01-23 21:24

Severity ?

5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

net-ldap Improper Certificate Validation vulnerability

Details

The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-17718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:45:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.",
  "id": "GHSA-m7p8-9w66-9frm",
  "modified": "2023-01-23T21:24:13Z",
  "published": "2018-01-06T01:11:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "net-ldap Improper Certificate Validation vulnerability"
}

gsd-2017-17718

Vulnerability from gsd

Modified

2017-12-17 00:00

Details

The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. The LDAP server's certificate was not verified to match the host it was supposed to be connecting to.

Aliases

CVE-2017-17718

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-17718",
    "description": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.",
    "id": "GSD-2017-17718",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-17718.html",
      "https://access.redhat.com/errata/RHSA-2020:1454"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "net-ldap",
            "purl": "pkg:gem/net-ldap"
          }
        }
      ],
      "aliases": [
        "CVE-2017-17718",
        "GHSA-m7p8-9w66-9frm"
      ],
      "details": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL\nCertificate Validation. The LDAP server\u0027s certificate was not verified\nto match the host it was supposed to be connecting to.\n",
      "id": "GSD-2017-17718",
      "modified": "2017-12-17T00:00:00.000Z",
      "published": "2017-12-17T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
        },
        {
          "type": "WEB",
          "url": "https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.9,
          "type": "CVSS_V3"
        }
      ],
      "summary": "No validation of hostname certificate in net-ldap"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-17718",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://openwall.com/lists/oss-security/2017/12/17/10",
            "refsource": "MISC",
            "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
          },
          {
            "name": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
            "refsource": "MISC",
            "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
          },
          {
            "name": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
            "refsource": "MISC",
            "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2017-17718",
      "cvss_v3": 5.9,
      "date": "2017-12-17",
      "description": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL\nCertificate Validation. The LDAP server\u0027s certificate was not verified\nto match the host it was supposed to be connecting to.\n",
      "gem": "net-ldap",
      "ghsa": "m7p8-9w66-9frm",
      "patched_versions": [
        "\u003e= 0.16.0"
      ],
      "related": {
        "url": [
          "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
          "https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd"
        ]
      },
      "title": "No validation of hostname certificate in net-ldap",
      "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.16.0",
          "affected_versions": "All versions before 0.16.0",
          "credit": "Raphael Geissert",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-295",
            "CWE-937"
          ],
          "date": "2018-01-05",
          "description": "Net-ldap does not validate the hostname certificate. Ruby is relying on OpenSSL, and one common mistake made by users of OpenSSL is to assume that OpenSSL will validate the hostname in the server\u0027s certificate. did not perform hostname validation. and up contain support for hostname validation, but they still require the user to call a few functions to set it up. ",
          "fixed_versions": [
            "0.16.0"
          ],
          "identifier": "CVE-2017-17718",
          "identifiers": [
            "CVE-2017-17718"
          ],
          "package_slug": "gem/net-ldap",
          "pubdate": "2017-12-17",
          "solution": "Update to fixed version or use verify_certificate_identity to validate certificates; see provided link.",
          "title": "No validation of hostname certificate",
          "urls": [
            "http://openwall.com/lists/oss-security/2017/12/17/10",
            "http://ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/SSL.html#method-c-verify_certificate_identity",
            "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
            "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
          ],
          "uuid": "c9059e26-b7b9-43da-8409-2db3d6e7e69d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.11:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.10.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.3.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2.2:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.0.5:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.8.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.7.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.6.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.6.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.15.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.14.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.13.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.12.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.1.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.1.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.12.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.10.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.9.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.5.1:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.3.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17718"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
            },
            {
              "name": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
            },
            {
              "name": "http://openwall.com/lists/oss-security/2017/12/17/10",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2018-01-05T18:12Z",
      "publishedDate": "2017-12-17T21:29Z"
    }
  }
}

cve-2017-17718

Vulnerability from cvelistv5

Published

2017-12-17 21:00

Modified

2024-08-05 20:59

Severity ?

Summary

The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

References

▼	URL	Tags
	http://openwall.com/lists/oss-security/2017/12/17/10	x_refsource_MISC
	https://github.com/ruby-ldap/ruby-net-ldap/issues/258	x_refsource_MISC
	https://github.com/ruby-ldap/ruby-net-ldap/pull/279	x_refsource_MISC

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T20:59:17.688Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-12-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-17T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-17718",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://openwall.com/lists/oss-security/2017/12/17/10",
              "refsource": "MISC",
              "url": "http://openwall.com/lists/oss-security/2017/12/17/10"
            },
            {
              "name": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
              "refsource": "MISC",
              "url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
            },
            {
              "name": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
              "refsource": "MISC",
              "url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-17718",
    "datePublished": "2017-12-17T21:00:00",
    "dateReserved": "2017-12-17T00:00:00",
    "dateUpdated": "2024-08-05T20:59:17.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

GHSA-m7p8-9w66-9frm

Vulnerability from github

gsd-2017-17718

Vulnerability from gsd

cve-2017-17718

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature