Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Remediation
References
Related Vulnerabilities
WordPress Plugin Age Verification 'redirect_to' Parameter URI Redirection (0.4)
MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-30156)
WordPress Plugin Photo Gallery by Ays-Responsive Image Gallery SQL Injection (4.4.3)
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-6832)
WordPress Plugin WP Statistics Multiple Unspecified Vulnerabilities (9.6.5)