Vulnerable Library - asciidoctorj-2.5.3.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jruby/jruby/9.3.6.0/jruby-9.3.6.0.jar
Found in HEAD commit: 2ff65424c48b6f26c40b741a18dfe5db8d9c8841
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-46551
Vulnerable Library - jruby-9.3.6.0.jar
Library home page: https://github.com/jruby/jruby
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jruby/jruby/9.3.6.0/jruby-9.3.6.0.jar
Dependency Hierarchy:
- asciidoctorj-2.5.3.jar (Root Library)
- ❌ jruby-9.3.6.0.jar (Vulnerable Library)
Found in HEAD commit: 2ff65424c48b6f26c40b741a18dfe5db8d9c8841
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
Publish Date: 2025-05-07
URL: CVE-2025-46551
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-72qj-48g4-5xgx
Release Date: 2025-05-07
Fix Resolution: jruby-openssl - 0.15.4,https://github.com/jruby/jruby-openssl.git - v0.15.4
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jruby/jruby/9.3.6.0/jruby-9.3.6.0.jar
Found in HEAD commit: 2ff65424c48b6f26c40b741a18dfe5db8d9c8841
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - jruby-9.3.6.0.jar
Library home page: https://github.com/jruby/jruby
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jruby/jruby/9.3.6.0/jruby-9.3.6.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2ff65424c48b6f26c40b741a18dfe5db8d9c8841
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
Publish Date: 2025-05-07
URL: CVE-2025-46551
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-72qj-48g4-5xgx
Release Date: 2025-05-07
Fix Resolution: jruby-openssl - 0.15.4,https://github.com/jruby/jruby-openssl.git - v0.15.4