diff --git a/gems/jruby-openssl/CVE-2025-46551.yml b/gems/jruby-openssl/CVE-2025-46551.yml new file mode 100644 index 0000000000..2e5870f5e8 --- /dev/null +++ b/gems/jruby-openssl/CVE-2025-46551.yml @@ -0,0 +1,43 @@ +--- +gem: jruby-openssl +platform: jruby +cve: 2025-46551 +ghsa: 72qj-48g4-5xgx +url: https://github.com/advisories/GHSA-72qj-48g4-5xgx +title: JRuby-OpenSSL has hostname verification disabled by default +date: 2025-05-07 +description: | + JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby + OpenSSL native library. + + Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 + (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 + and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, + JRuby-OpenSSL does not verify that the hostname presented in the + certificate matches the one the user tries to connect to. + This means a man-in-the-middle could just present any valid cert for + a completely different domain they own, and JRuby would accept the cert. + Anybody using JRuby to make requests of external APIs, or scraping + the web, that depends on https to connect securely. + JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix + is included in JRuby versions 10.0.0.1 and 9.4.12.1. +cvss_v3: 3.7 +cvss_v4: 5.7 +unaffected_versions: + - "<= 0.12.1" +patched_versions: + - ">= 0.15.4" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-46551 + - https://www.cve.org/CVERecord?id=CVE-2025-46551 + - https://www.jruby.org/2025/05/07/jruby-9-4-12-1 + - https://www.jruby.org/2025/05/07/jruby-10-0-0-1 + - https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s + - https://github.com/advisories/GHSA-72qj-48g4-5xgx +notes: | + 1. Reference: https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s + -- "Security advisory: We have released jruby-openssl gem 0.15.4, + jruby 10.0.0.1, and jruby 9.4.12.1 to address CVE-2025-46551, + disabled hostname verification by default. + We recommend that all users upgrade!"