Description
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2011-3512 Vulnerability (CVE-2011-3512)
MySQL Uncontrolled Resource Consumption Vulnerability (CVE-2025-50077)
Ruby Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-4464)
WordPress Plugin Download Manager Cross-Site Scripting (3.2.52)
WordPress Plugin FancyBox for WordPress Cross-Site Scripting (3.0.2)