Miggo Logo

CVE-2012-2126: RubyGems does not verify SSL certificate

4.3

CVSS Score

Basic Information

EPSS Score
0.50434%
CWE
-
Published
5/17/2022
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rubygems-updaterubygems< 1.8.231.8.23

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) The connection_for method explicitly disabled SSL verification (VERIFY_NONE) for HTTPS connections, leaving no certificate validation. 2) The fetch_http method allowed insecure redirects from HTTPS to HTTP. The commit d4c7eaf added SSL verification (VERIFY_PEER), CA cert handling, and HTTPS redirect validation, directly addressing these vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ru*y**ms ***or* *.*.** *o*s not v*ri*y *n SSL **rti*i**t*, w*i** *llows r*mot* *tt**k*rs to mo*i*y * **m *urin* inst*ll*tion vi* * m*n-in-t**-mi**l* *tt**k.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** *onn**tion_*or m*t*o* *xpli*itly *is**l** SSL v*ri*i**tion (V*RI*Y_NON*) *or *TTPS *onn**tions, l**vin* no **rti*i**t* v*li**tion. *) T** **t**_*ttp m*t*o* *llow** ins**ur* r**ir**ts *rom *TTPS to