[RUBYSEC:OPENSSL-2018-16395] Incorrect value comparison in Ruby openssl
Severity
Critical
Affected Packages
1
Fixed Packages
1
CVEs
1
An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name
objects are compared using ==, depending on the ordering, non-equal objects may
return true. When the first argument is one character longer than the second, or
the second argument contains a character that is one less than a character in the
same position of the first argument, the result of == will be true. This could be
leveraged to create an illegitimate certificate that may be accepted as legitimate
and then used in signing or encryption operations.
| Package | Affected Version |
|---|---|
 pkg:gem/openssl
|
< 2.1.2 |
| Package | Fixed Version |
|---|---|
|
pkg:gem/openssl
|
>= 2.1.2 |
- ID
- RUBYSEC:OPENSSL-2018-16395
- Severity
- critical
- URL
- https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
- Published
-
2018-10-17T00:00:00
(6 years ago) - Modified
-
2023-06-11T20:53:25
(15 months ago) - Rights
- RubySec Security Team
- Other Advisories
-
-
ALAS-2018-1113
-
ALAS2-2019-1143
-
ALPINE:CVE-2018-16395
-
DSA-4332-1
-
ELSA-2018-3738
-
FEDORA-2018-190ecd2ef8
-
FEDORA-2018-319b9d0f68
-
FEDORA-2018-6070bcf454
-
FREEBSD:AFC60484-0652-440E-B01A-5EF814747F06
-
MS:CVE-2018-16395
-
openSUSE-SU-2019:1771-1
-
RHSA-2018:3738
-
SUSE-SU-2019:1804-1
-
SUSE-SU-2020:1570-1
-
USN-3808-1
-
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |