Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ3cHYtY2o2eC12M2p3

http vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.

Permalink: https://github.com/advisories/GHSA-6wpv-cj6x-v3jw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ3cHYtY2o2eC12M2p3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: 8 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-6wpv-cj6x-v3jw, CVE-2015-1828
References:

Repository: https://github.com/ruby/openssl
Blast Radius: 25.0

Affected Packages

rubygems:http

Dependent packages: 796
Dependent repositories: 17,404
Downloads: 128,916,132 total
Affected Version Ranges: < 0.7.3
Fixed in: 0.7.3
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.7.1, 0.7.2
All unaffected versions: 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.2.0