CVE-2007-5162

The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.

🔗 References (70)

• cve@mitrehttp://secunia.com/advisories/26985
• cve@mitrehttp://secunia.com/advisories/27044
• cve@mitrehttp://secunia.com/advisories/27432
• cve@mitrehttp://secunia.com/advisories/27576
• cve@mitrehttp://secunia.com/advisories/27673
• cve@mitrehttp://secunia.com/advisories/27756
• cve@mitrehttp://secunia.com/advisories/27764
• cve@mitrehttp://secunia.com/advisories/27769
• cve@mitrehttp://secunia.com/advisories/27818
• cve@mitrehttp://secunia.com/advisories/28645
• cve@mitrehttp://secunia.com/advisories/29556
• cve@mitrehttp://securityreason.com/securityalert/3180
• cve@mitrehttp://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
• cve@mitrehttp://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13500
• cve@mitrehttp://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13502