Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2007-5162

Disclosure Date: October 01, 2007 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

ruby-lang

Products

References

Canonical

CVE-2007-5162 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162)

BID-25847 (http://www.securityfocus.com/bid/25847)

Advisory

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499

20071112 FLEA-2007-0068-1 ruby (http://www.securityfocus.com/archive/1/483577/100/0/threaded)

SECUNIA-27576 (http://secunia.com/advisories/27576)

SECUNIA-26985 (http://secunia.com/advisories/26985)

ADV-2007-3340 (http://www.vupen.com/english/advisories/2007/3340)

USN-596-1 (http://www.ubuntu.com/usn/usn-596-1)

XF-ruby-nethttps-mitm(36861) (https://exchange.xforce.ibmcloud.com/vulnerabilities/36861)

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500

FEDORA-2007-2685 (https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html)

SECUNIA-27044 (http://secunia.com/advisories/27044)

http://www.redhat.com/support/errata/RHSA-2007-0961.html

http://www.redhat.com/support/errata/RHSA-2007-0965.html

SECUNIA-27756 (http://secunia.com/advisories/27756)

DSA-1412 (http://www.debian.org/security/2007/dsa-1412)

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502

SECUNIA-27673 (http://secunia.com/advisories/27673)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10738

DSA-1410 (http://www.debian.org/security/2007/dsa-1410)

SECUNIA-27769 (http://secunia.com/advisories/27769)

FEDORA-2007-718 (https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html)

http://www.novell.com/linux/security/advisories/2007_24_sr.html

http://www.mandriva.com/security/advisories?name=MDVSA-2008:029

SECUNIA-29556 (http://secunia.com/advisories/29556)

SECUNIA-27818 (http://secunia.com/advisories/27818)

SECUNIA-27432 (http://secunia.com/advisories/27432)

20070927 Ruby Net::HTTPS library does not validate server certificate CN (http://www.securityfocus.com/archive/1/480987/100/0/threaded)

SREASON-3180 (http://securityreason.com/securityalert/3180)

FEDORA-2007-2406 (https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html)

SECUNIA-28645 (http://secunia.com/advisories/28645)

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504

DSA-1411 (http://www.debian.org/security/2007/dsa-1411)

SECUNIA-27764 (http://secunia.com/advisories/27764)

Miscellaneous

https://bugzilla.redhat.com/show_bug.cgi?id=313791

http://www.isecpartners.com/advisories/2007-006-rubyssl.txt

Rapid7

Technical Analysis