vulnerability

OS X update for Ruby (CVE-2015-1855)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Apr 5, 2017	Apr 5, 2017	Aug 13, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Apr 5, 2017

Added

Apr 5, 2017

Modified

Aug 13, 2025

Description

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

Solution

apple-osx-upgrade-10_11

References

CVE-2015-1855
https://attackerkb.com/topics/CVE-2015-1855
CWE-20
URL-https://support.apple.com/kb/HT205267

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today