ID CVE-2013-4073
Summary The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
References
Vulnerable Configurations
  • cpe:2.3:a:ruby-lang:ruby:1.8.6-26:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.6-26:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p160:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p160:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p173:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p173:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p174:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p174:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p248:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p248:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p249:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p249:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p299:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p299:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p301:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p301:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p302:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p302:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p330:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p330:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p334:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p334:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p352:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p352:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p357:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p357:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p358:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p358:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p370:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p370:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p371:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p371:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p373:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p373:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:p72:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:p72:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p385:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p385:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p392:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p392:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p426:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p426:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:1.9.3:p429:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:1.9.3:p429:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:p0:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:p0:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:p195:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:p195:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:preview1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:preview1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:preview2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:preview2:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 13-08-2018 - 21:47)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 979251
    title CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment ruby is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090002
          • comment ruby is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965003
        • AND
          • comment ruby-devel is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090004
          • comment ruby-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965013
        • AND
          • comment ruby-docs is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090006
          • comment ruby-docs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965017
        • AND
          • comment ruby-irb is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090008
          • comment ruby-irb is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965011
        • AND
          • comment ruby-libs is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090014
          • comment ruby-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965019
        • AND
          • comment ruby-mode is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090018
          • comment ruby-mode is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965005
        • AND
          • comment ruby-rdoc is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090016
          • comment ruby-rdoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965007
        • AND
          • comment ruby-ri is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090012
          • comment ruby-ri is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965015
        • AND
          • comment ruby-tcltk is earlier than 0:1.8.5-31.el5_9
            oval oval:com.redhat.rhsa:tst:20131090010
          • comment ruby-tcltk is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070965009
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment ruby is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090024
          • comment ruby is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910006
        • AND
          • comment ruby-devel is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090026
          • comment ruby-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910016
        • AND
          • comment ruby-docs is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090030
          • comment ruby-docs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910012
        • AND
          • comment ruby-irb is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090034
          • comment ruby-irb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910018
        • AND
          • comment ruby-libs is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090040
          • comment ruby-libs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910020
        • AND
          • comment ruby-rdoc is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090036
          • comment ruby-rdoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910022
        • AND
          • comment ruby-ri is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090038
          • comment ruby-ri is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910014
        • AND
          • comment ruby-static is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090032
          • comment ruby-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910010
        • AND
          • comment ruby-tcltk is earlier than 0:1.8.7.352-12.el6_4
            oval oval:com.redhat.rhsa:tst:20131090028
          • comment ruby-tcltk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20110910008
    rhsa
    id RHSA-2013:1090
    released 2013-07-17
    severity Moderate
    title RHSA-2013:1090: ruby security update (Moderate)
  • rhsa
    id RHSA-2013:1103
  • rhsa
    id RHSA-2013:1137
rpms
  • ruby-0:1.8.5-31.el5_9
  • ruby-devel-0:1.8.5-31.el5_9
  • ruby-docs-0:1.8.5-31.el5_9
  • ruby-irb-0:1.8.5-31.el5_9
  • ruby-libs-0:1.8.5-31.el5_9
  • ruby-mode-0:1.8.5-31.el5_9
  • ruby-rdoc-0:1.8.5-31.el5_9
  • ruby-ri-0:1.8.5-31.el5_9
  • ruby-tcltk-0:1.8.5-31.el5_9
  • ruby-0:1.8.7.352-12.el6_4
  • ruby-devel-0:1.8.7.352-12.el6_4
  • ruby-docs-0:1.8.7.352-12.el6_4
  • ruby-irb-0:1.8.7.352-12.el6_4
  • ruby-libs-0:1.8.7.352-12.el6_4
  • ruby-rdoc-0:1.8.7.352-12.el6_4
  • ruby-ri-0:1.8.7.352-12.el6_4
  • ruby-static-0:1.8.7.352-12.el6_4
  • ruby-tcltk-0:1.8.7.352-12.el6_4
refmap via4
apple APPLE-SA-2013-10-22-3
confirm
debian
  • DSA-2738
  • DSA-2809
suse
  • openSUSE-SU-2013:1181
  • openSUSE-SU-2013:1186
ubuntu USN-1902-1
Last major update 13-08-2018 - 21:47
Published 18-08-2013 - 02:52
Back to Top