1 brand new advisory

gems/jruby-openssl/CVE-2025-46551.yml

@@ -0,0 +1,43 @@
+---
+gem: jruby-openssl
+platform: jruby
+cve: 2025-46551
+ghsa: 72qj-48g4-5xgx
+url: https://github.com/advisories/GHSA-72qj-48g4-5xgx
+title: JRuby-OpenSSL has hostname verification disabled by default
+date: 2025-05-07
+description: |
+  JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby
+  OpenSSL native library.
+
+  Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4
+  (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1
+  and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates,
+  JRuby-OpenSSL does not verify that the hostname presented in the
+  certificate matches the one the user tries to connect to.
+  This means a man-in-the-middle could just present any valid cert for
+  a completely different domain they own, and JRuby would accept the cert.
+  Anybody using JRuby to make requests of external APIs, or scraping
+  the web, that depends on https to connect securely.
+  JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix
+  is included in JRuby versions 10.0.0.1 and 9.4.12.1.
+cvss_v3: 3.7
+cvss_v4: 5.7
+unaffected_versions:
+  - "<= 0.12.1"
+patched_versions:
+  - ">= 0.15.4"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-46551
+    - https://www.cve.org/CVERecord?id=CVE-2025-46551
+    - https://www.jruby.org/2025/05/07/jruby-9-4-12-1
+    - https://www.jruby.org/2025/05/07/jruby-10-0-0-1
+    - https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s
+    - https://github.com/advisories/GHSA-72qj-48g4-5xgx
+notes: |
+  1. Reference: https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s
+     -- "Security advisory: We have released jruby-openssl gem 0.15.4,
+        jruby 10.0.0.1, and jruby 9.4.12.1 to address CVE-2025-46551,
+        disabled hostname verification by default.
+        We recommend that all users upgrade!"