GHSA-72qj-48g4-5xgx

Source

https://github.com/advisories/GHSA-72qj-48g4-5xgx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-72qj-48g4-5xgx/GHSA-72qj-48g4-5xgx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-72qj-48g4-5xgx

Aliases

CVE-2025-46551

Related

CVE-2025-46551

Published

2025-05-07T17:32:54Z

Modified

2025-05-07T19:38:16.466834Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

JRuby-OpenSSL has hostname verification disabled by default

Details

Summary

When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.

Details

n/a

PoC

An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER

body = https.start { https.get(uri.request_uri).body }
puts body

Impact

Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely

Database specific

{
    "nvd_published_at": "2025-05-07T17:15:58Z",
    "cwe_ids": [
        "CWE-295",
        "CWE-297"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-07T17:32:54Z"
}

References

Affected packages

Maven / rubygems:jruby-openssl

Package

Name: rubygems:jruby-openssl; View open source insights on deps.dev
Purl: pkg:maven/rubygems/jruby-openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.12.1

Fixed

0.15.4

Maven / org.jruby:jruby

Package

Name: org.jruby:jruby; View open source insights on deps.dev
Purl: pkg:maven/org.jruby/jruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0.0

Fixed

10.0.0.1

Affected versions

10.*

10.0.0.0

Maven / org.jruby:jruby

Package

Name: org.jruby:jruby; View open source insights on deps.dev
Purl: pkg:maven/org.jruby/jruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.3.4.0

Fixed

9.4.12.1

Affected versions

9.*

9.3.4.0

9.3.5.0

9.3.6.0

9.3.7.0

9.3.8.0

9.3.9.0

9.3.10.0

9.3.11.0

9.3.12.0

9.3.13.0

9.3.14.0

9.3.15.0

9.4.0.0

9.4.1.0

9.4.2.0

9.4.3.0

9.4.4.0

9.4.5.0

9.4.6.0

9.4.7.0

9.4.8.0

9.4.9.0

9.4.10.0

9.4.11.0

9.4.12.0