Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2015-1828
Vulnerability from gsd - Updated: 2015-03-24 00:00Details
http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification.
Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.
Aliases
{
"GSD": {
"alias": "CVE-2015-1828",
"description": "The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.",
"id": "GSD-2015-1828",
"references": [
"https://www.suse.com/security/cve/CVE-2015-1828.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "http",
"purl": "pkg:gem/http"
}
}
],
"aliases": [
"CVE-2015-1828",
"OSVDB-119927",
"GHSA-6wpv-cj6x-v3jw"
],
"details": "http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification.\nBecause of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.\n",
"id": "GSD-2015-1828",
"modified": "2015-03-24T00:00:00.000Z",
"published": "2015-03-24T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
},
{
"score": 5.9,
"type": "CVSS_V3"
}
],
"summary": "HTTPS MitM vulnerability in http.rb"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1828",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://rubysec.com/advisories/http-CVE-2015-1828",
"refsource": "CONFIRM",
"url": "https://rubysec.com/advisories/http-CVE-2015-1828"
},
{
"name": "https://github.com/ruby/openssl/issues/8",
"refsource": "CONFIRM",
"url": "https://github.com/ruby/openssl/issues/8"
},
{
"name": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-1828",
"cvss_v2": 5.0,
"cvss_v3": 5.9,
"date": "2015-03-24",
"description": "http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification.\nBecause of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.\n",
"gem": "http",
"ghsa": "6wpv-cj6x-v3jw",
"osvdb": 119927,
"patched_versions": [
"\u003e= 0.7.3",
"~\u003e 0.6.4"
],
"title": "HTTPS MitM vulnerability in http.rb",
"url": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e0.0.0a \u003c0.6.4||\u003e0.7.0a \u003c0.7.3",
"affected_versions": "All versions after 0.0.0a before 0.6.4, all versions after 0.7.0a before 0.7.3",
"credit": "Tony Arcieri",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2019-10-17",
"description": "The file `http.rb` of the http package fails to call the `OpenSSL::SSL::SSLSocket#post_connection_check` method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a Man-in-the-Middle attack.",
"fixed_versions": [
"0.6.4",
"0.7.3"
],
"identifier": "CVE-2015-1828",
"identifiers": [
"CVE-2015-1828"
],
"not_impacted": "All versions up to 0.0.0a, all versions starting from 0.6.4 up to 0.7.0a, all versions starting from 0.7.3",
"package_slug": "gem/http",
"pubdate": "2017-10-06",
"solution": "Upgrade to versions 0.6.4, 0.7.3 or above.",
"title": "MitM vulnerability",
"urls": [
"https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU"
],
"uuid": "10cf3062-1f13-4e10-9f7c-798acd28e480"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:http.rb_project:http.rb:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "0.7.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1828"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://rubysec.com/advisories/http-CVE-2015-1828",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://rubysec.com/advisories/http-CVE-2015-1828"
},
{
"name": "https://github.com/ruby/openssl/issues/8",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/ruby/openssl/issues/8"
},
{
"name": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-17T12:58Z",
"publishedDate": "2017-10-06T22:29Z"
}
}
}