-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from two key issues: 1) The connection_for method explicitly disabled SSL verification (VERIFY_NONE) for HTTPS connections, leaving no certificate validation. 2) The fetch_http method allowed insecure redirects from HTTPS to HTTP. The commit d4c7eaf added SSL verification (VERIFY_PEER), CA cert handling, and HTTPS redirect validation, directly addressing these vulnerable code paths.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rubygems-update | rubygems | < 1.8.23 | 1.8.23 |