CVE-2012-2126: RubyGems does not verify SSL certificate
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50434%
CWE
-
Published
5/17/2022
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rubygems-update | rubygems | < 1.8.23 | 1.8.23 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from two key issues: 1) The connection_for method explicitly disabled SSL verification (VERIFY_NONE) for HTTPS connections, leaving no certificate validation. 2) The fetch_http method allowed insecure redirects from HTTPS to HTTP. The commit d4c7eaf added SSL verification (VERIFY_PEER), CA cert handling, and HTTPS redirect validation, directly addressing these vulnerable code paths.