7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2009-4123

GHSA ID

GHSA-xgv7-pqqh-h2w9

EPSS Score

0.42775%

CWE

CWE-295

Published

1/19/2023

Updated

12/14/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2009-4123

CVE-2009-4123:
jruby-openssl gem for JRuby fails to do proper certificate validation

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2009-4123

GHSA ID

GHSA-xgv7-pqqh-h2w9

EPSS Score

0.42775%

CWE

CWE-295

Published

1/19/2023

Updated

12/14/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jruby-openssl	rubygems	< 0.6	0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper certificate validation in the jruby-openssl gem. The advisory explicitly states that failed verification 'silently did nothing,' which points to critical SSL handshake and validation functions.

SSLSocket#connect: This method is responsible for establishing the SSL connection. In proper implementations, it should check verification results and raise errors on failure. The vulnerability suggests this check was missing or bypassed.
SSLContext#set_verify: This method configures verification settings. The lack of validation implies it failed to bridge Ruby's VERIFY_PEER flag to Java's TrustManager configuration, leaving validation unenforced.

While the exact pre-0.6 code is unavailable, these functions are central to SSL validation in Ruby/OpenSSL integrations. The high confidence for SSLSocket#connect aligns with its direct role in connection establishment, while set_verify has medium confidence due to the indirect linkage to Java's SSL stack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s**urity pro*l*m involvin* p**r **rti*i**t* v*ri*i**tion w*s *oun* w**r* **il** v*ri*i**tion sil*ntly *i* not*in*, m*kin* *****t** *ppli**tions vuln*r**l* to *tt**k*rs. *tt**k*rs *oul* l*** * *li*nt *ppli**tion to **li*v* t**t * s**ur* *onn**tion t

Reasoning

T** vuln*r**ility st*ms *rom improp*r **rti*i**t* v*li**tion in t** jru*y-op*nssl **m. T** **visory *xpli*itly st*t*s t**t **il** v*ri*i**tion 'sil*ntly *i* not*in*,' w*i** points to *riti**l SSL **n*s**k* *n* v*li**tion *un*tions. *. **SSLSo*k*t#*

7.5

Basic Information

Concerned about an active attack path?

CVE-2009-4123: jruby-openssl gem for JRuby fails to do proper certificate validation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2009-4123:
jruby-openssl gem for JRuby fails to do proper certificate validation

Vulnerability Intelligence
Miggo AI