gsd-2017-17718
Vulnerability from gsd
Modified
2017-12-17 00:00
Details
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL
Certificate Validation. The LDAP server's certificate was not verified
to match the host it was supposed to be connecting to.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-17718",
"description": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.",
"id": "GSD-2017-17718",
"references": [
"https://www.suse.com/security/cve/CVE-2017-17718.html",
"https://access.redhat.com/errata/RHSA-2020:1454"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "net-ldap",
"purl": "pkg:gem/net-ldap"
}
}
],
"aliases": [
"CVE-2017-17718",
"GHSA-m7p8-9w66-9frm"
],
"details": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL\nCertificate Validation. The LDAP server\u0027s certificate was not verified\nto match the host it was supposed to be connecting to.\n",
"id": "GSD-2017-17718",
"modified": "2017-12-17T00:00:00.000Z",
"published": "2017-12-17T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
},
{
"type": "WEB",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
},
{
"type": "WEB",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.9,
"type": "CVSS_V3"
}
],
"summary": "No validation of hostname certificate in net-ldap"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openwall.com/lists/oss-security/2017/12/17/10",
"refsource": "MISC",
"url": "http://openwall.com/lists/oss-security/2017/12/17/10"
},
{
"name": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
"refsource": "MISC",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
},
{
"name": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
"refsource": "MISC",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2017-17718",
"cvss_v3": 5.9,
"date": "2017-12-17",
"description": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL\nCertificate Validation. The LDAP server\u0027s certificate was not verified\nto match the host it was supposed to be connecting to.\n",
"gem": "net-ldap",
"ghsa": "m7p8-9w66-9frm",
"patched_versions": [
"\u003e= 0.16.0"
],
"related": {
"url": [
"https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
"https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd"
]
},
"title": "No validation of hostname certificate in net-ldap",
"url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.16.0",
"affected_versions": "All versions before 0.16.0",
"credit": "Raphael Geissert",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-295",
"CWE-937"
],
"date": "2018-01-05",
"description": "Net-ldap does not validate the hostname certificate. Ruby is relying on OpenSSL, and one common mistake made by users of OpenSSL is to assume that OpenSSL will validate the hostname in the server\u0027s certificate. did not perform hostname validation. and up contain support for hostname validation, but they still require the user to call a few functions to set it up. ",
"fixed_versions": [
"0.16.0"
],
"identifier": "CVE-2017-17718",
"identifiers": [
"CVE-2017-17718"
],
"package_slug": "gem/net-ldap",
"pubdate": "2017-12-17",
"solution": "Update to fixed version or use verify_certificate_identity to validate certificates; see provided link.",
"title": "No validation of hostname certificate",
"urls": [
"http://openwall.com/lists/oss-security/2017/12/17/10",
"http://ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/SSL.html#method-c-verify_certificate_identity",
"https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
"https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
],
"uuid": "c9059e26-b7b9-43da-8409-2db3d6e7e69d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.11:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.10.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.3.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.0.5:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.8.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.7.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.6.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.6.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.15.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.14.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.13.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.12.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.2:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.1.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.1.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.12.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.10.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.9.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.5.1:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:net-ldap_project:net-ldap:0.3.0:*:*:*:*:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17718"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ruby-ldap/ruby-net-ldap/pull/279"
},
{
"name": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ruby-ldap/ruby-net-ldap/issues/258"
},
{
"name": "http://openwall.com/lists/oss-security/2017/12/17/10",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "http://openwall.com/lists/oss-security/2017/12/17/10"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2018-01-05T18:12Z",
"publishedDate": "2017-12-17T21:29Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.