CVE-2013-4073 (Ruby SSL Vulnerability)

  • Posted August 15, 2013

  • Severity: Medium

A vulnerability in Ruby’s SSL client could allow man-in-the-middle attackers to spoof SSL servers via a valid certificate issued by a trusted certification authority. The vulnerability existed because while Ruby’s SSL client did implement a `hostname` identity check, it did not properly handle `hostnames` in certificates that contain null bytes.


  • Affected Versions: Puppet Enterprise 2.8.2 and earlier, 3.0.0
  • Resolved in Puppet Enterprise 2.8.3 and 3.0.1