You are here


Vincent (CVE) Danen's picture
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Details Source


Public Date

2013-06-27 00:00:00




CVE-2013-4073 ruby: hostname check bypassing vulnerability in SSL client

Bugzilla ID

979 251

CVSS Status


Base Score


Base Metrics


External References

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux OpenStack Platform 3.0 (ruby193-ruby) RHSA-2013:1103 2013-07-23
Red Hat Enterprise Linux 6 (ruby) RHSA-2013:1090 2013-07-17
Red Hat Enterprise Linux 5 (ruby) RHSA-2013:1090 2013-07-17
RHOSE Client 1.2 (ruby193-ruby) RHSA-2013:1137 2013-08-05

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 ruby193-ruby Affected
Red Hat Jboss Enterprise SOA Platform 5 jruby Will not fix
Red Hat Jboss Enterprise SOA Platform 4.3 jruby Will not fix
Red Hat Enterprise Linux 7 ruby Not affected