[RUBYSEC:OPENSSL-2018-16395] Incorrect value comparison in Ruby openssl
Severity
Critical
Affected Packages
1
Fixed Packages
1
CVEs
1
An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name
objects are compared using ==, depending on the ordering, non-equal objects may
return true. When the first argument is one character longer than the second, or
the second argument contains a character that is one less than a character in the
same position of the first argument, the result of == will be true. This could be
leveraged to create an illegitimate certificate that may be accepted as legitimate
and then used in signing or encryption operations.
Package | Affected Version |
---|---|
pkg:gem/openssl | < 2.1.2 |
Package | Fixed Version |
---|---|
pkg:gem/openssl | >= 2.1.2 |
- ID
- RUBYSEC:OPENSSL-2018-16395
- Severity
- critical
- URL
- https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
- Published
-
2018-10-17T00:00:00
(6 years ago) - Modified
-
2023-06-11T20:53:25
(15 months ago) - Rights
- RubySec Security Team
- Other Advisories
-
- ALAS-2018-1113
- ALAS2-2019-1143
- ALPINE:CVE-2018-16395
- DSA-4332-1
- ELSA-2018-3738
- FEDORA-2018-190ecd2ef8
- FEDORA-2018-319b9d0f68
- FEDORA-2018-6070bcf454
- FREEBSD:AFC60484-0652-440E-B01A-5EF814747F06
- MS:CVE-2018-16395
- openSUSE-SU-2019:1771-1
- RHSA-2018:3738
- SUSE-SU-2019:1804-1
- SUSE-SU-2020:1570-1
- USN-3808-1
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |