|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2025-46551 (jruby-openssl): JRuby-OpenSSL has hostname verification disabled |
| 4 | + by default' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- jruby-openssl |
| 8 | +- jruby |
| 9 | +advisory: |
| 10 | + gem: jruby-openssl |
| 11 | + platform: jruby |
| 12 | + cve: 2025-46551 |
| 13 | + ghsa: 72qj-48g4-5xgx |
| 14 | + url: https://github.com/advisories/GHSA-72qj-48g4-5xgx |
| 15 | + title: JRuby-OpenSSL has hostname verification disabled by default |
| 16 | + date: 2025-05-07 |
| 17 | + description: | |
| 18 | + JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby |
| 19 | + OpenSSL native library. |
| 20 | +
|
| 21 | + Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 |
| 22 | + (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 |
| 23 | + and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, |
| 24 | + JRuby-OpenSSL does not verify that the hostname presented in the |
| 25 | + certificate matches the one the user tries to connect to. |
| 26 | + This means a man-in-the-middle could just present any valid cert for |
| 27 | + a completely different domain they own, and JRuby would accept the cert. |
| 28 | + Anybody using JRuby to make requests of external APIs, or scraping |
| 29 | + the web, that depends on https to connect securely. |
| 30 | + JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix |
| 31 | + is included in JRuby versions 10.0.0.1 and 9.4.12.1. |
| 32 | + cvss_v3: 3.7 |
| 33 | + cvss_v4: 5.7 |
| 34 | + unaffected_versions: |
| 35 | + - "<= 0.12.1" |
| 36 | + patched_versions: |
| 37 | + - ">= 0.15.4" |
| 38 | + related: |
| 39 | + url: |
| 40 | + - https://nvd.nist.gov/vuln/detail/CVE-2025-46551 |
| 41 | + - https://www.cve.org/CVERecord?id=CVE-2025-46551 |
| 42 | + - https://www.jruby.org/2025/05/07/jruby-9-4-12-1 |
| 43 | + - https://www.jruby.org/2025/05/07/jruby-10-0-0-1 |
| 44 | + - https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s |
| 45 | + - https://github.com/advisories/GHSA-72qj-48g4-5xgx |
| 46 | + notes: | |
| 47 | + 1. Reference: https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s |
| 48 | + -- "Security advisory: We have released jruby-openssl gem 0.15.4, |
| 49 | + jruby 10.0.0.1, and jruby 9.4.12.1 to address CVE-2025-46551, |
| 50 | + disabled hostname verification by default. |
| 51 | + We recommend that all users upgrade!" |
| 52 | +--- |
0 commit comments