Steffan Ullrich

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.0.0 patchlevel 645 Ruby versions 2.1.x prior to 2.1.6 Ruby versions 2.2.x prior to 2.2.2 **Description** The issue concerns the improper validation of hostnames in the OpenSSL extension in Ruby, allowing remote attackers to spoof servers. This can be achieved through various vectors, including multiple wildcards, wildcards in IDNA names, case sensitivity, and non-ASCII characters. The vulnerability enables an attacker to substitute an SSL server using a specially crafted certificate. **Recommendations** For Ruby versions prior to 2.0.0 patchlevel 645, update to a version that includes the necessary patches. For Ruby versions 2.1.x prior to 2.1.6, update to version 2.1.6 or later. For Ruby versions 2.2.x prior to 2.2.2, update to version 2.2.2 or later. As a temporary workaround, consider restricting the use of wildcard certificates in the OpenSSL extension until a patch is applied.