CVE-2017-17718

Current Description

The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Basic Data

PublishedDecember 17, 2017
Last ModifiedJanuary 05, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-295
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityHIGH
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score5.9
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.2
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationNet-ldap ProjectNet-ldap0.0.5****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.1.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.1.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.2****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.2.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.2.2****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.3.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.3.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.5.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.6.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.6.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.7.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.8.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.9.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.10.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.10.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.11****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.12.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.12.1****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.13.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.14.0****ruby**
    2.3ApplicationNet-ldap ProjectNet-ldap0.15.0****ruby**

Vulnerable Software List

VendorProductVersions
Net-ldap Project Net-ldap 0.0.5, 0.1.0, 0.1.1, 0.10.0, 0.10.1, 0.11, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.2, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0

References

NameSourceURLTags
http://openwall.com/lists/oss-security/2017/12/17/10http://openwall.com/lists/oss-security/2017/12/17/10MISCIssue Tracking Mailing List Third Party Advisory
https://github.com/ruby-ldap/ruby-net-ldap/issues/258https://github.com/ruby-ldap/ruby-net-ldap/issues/258MISCIssue Tracking Patch Third Party Advisory
https://github.com/ruby-ldap/ruby-net-ldap/pull/279https://github.com/ruby-ldap/ruby-net-ldap/pull/279MISCIssue Tracking Patch Third Party Advisory