// For flags

CVE-2007-5162

Net: HTTP insufficient verification of SSL certificate

Severity Score

5.9
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

El método connect en lib/net/http.rb en las bibliotecas (1) Net::HTTP y (2) Net::HTTPS de Ruby 1.8.5 y 1.8.6 no verifica que el campo commonName (CN) en un certificado de servidor concuerde con el nombre de dominio de una petición HTTPS, lo cual facilita a atacantes remotos interceptar transmisiones SSL mediante un ataque de "hombre en medio" (man-in-the-middle) o sitio web falsificado.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-09-30 CVE Reserved
  • 2007-10-01 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
References (37)
URL Tag Source
http://secunia.com/advisories/26985 Third Party Advisory
http://secunia.com/advisories/27044 Third Party Advisory
http://secunia.com/advisories/27432 Third Party Advisory
http://secunia.com/advisories/27576 Third Party Advisory
http://secunia.com/advisories/27673 Third Party Advisory
http://secunia.com/advisories/27756 Third Party Advisory
http://secunia.com/advisories/27764 Third Party Advisory
http://secunia.com/advisories/27769 Third Party Advisory
http://secunia.com/advisories/27818 Third Party Advisory
http://secunia.com/advisories/28645 Third Party Advisory
http://secunia.com/advisories/29556 Third Party Advisory
http://securityreason.com/securityalert/3180 Third Party Advisory
http://www.isecpartners.com/advisories/2007-006-rubyssl.txt X_refsource_misc
http://www.securityfocus.com/archive/1/480987/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/483577/100/0/threaded Mailing List
http://www.vupen.com/english/advisories/2007/3340 Vdb Entry
https://bugzilla.redhat.com/show_bug.cgi?id=313791 X_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/36861 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10738 Signature
URL Date SRC
URL Date SRC
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499 2018-10-15
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500 2018-10-15
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502 2018-10-15
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504 2018-10-15
http://www.securityfocus.com/bid/25847 2018-10-15
URL Date SRC
http://www.debian.org/security/2007/dsa-1410 2018-10-15
http://www.debian.org/security/2007/dsa-1411 2018-10-15
http://www.debian.org/security/2007/dsa-1412 2018-10-15
http://www.mandriva.com/security/advisories?name=MDVSA-2008:029 2018-10-15
http://www.novell.com/linux/security/advisories/2007_24_sr.html 2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-0961.html 2018-10-15
http://www.redhat.com/support/errata/RHSA-2007-0965.html 2018-10-15
http://www.ubuntu.com/usn/usn-596-1 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00087.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00097.html 2018-10-15
https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00391.html 2018-10-15
https://access.redhat.com/security/cve/CVE-2007-5162 2007-11-13
https://bugzilla.redhat.com/show_bug.cgi?id=313691 2007-11-13
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 1.8.5
Search vendor "Ruby-lang" for product "Ruby" and version "1.8.5"
-
Affected
Ruby-lang
Search vendor "Ruby-lang"
 Ruby
Search vendor "Ruby-lang" for product "Ruby"
 1.8.6
Search vendor "Ruby-lang" for product "Ruby" and version "1.8.6"
-
Affected