Search criteria
6 vulnerabilities found for openssl by ruby-lang
FKIE_CVE-2018-16395
Vulnerability from fkie_nvd - Published: 2018-11-16 18:29 - Updated: 2024-11-21 03:52
Severity
Summary
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ruby-lang | openssl | * | |
| ruby-lang | ruby | * | |
| ruby-lang | ruby | * | |
| ruby-lang | ruby | * | |
| ruby-lang | ruby | 2.6.0 | |
| ruby-lang | ruby | 2.6.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| redhat | enterprise_linux | 7.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:openssl:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "DDD3EC39-B375-4B68-963F-08418673D321",
"versionEndExcluding": "2.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F4CB899-0054-44BB-A3BD-FB225CC663DB",
"versionEndIncluding": "2.3.7",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A07531E-A788-41ED-8C5D-AAB2F532EA7A",
"versionEndIncluding": "2.4.4",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "70C32AF6-57D9-4F85-857B-4EFC425D9145",
"versionEndIncluding": "2.5.1",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1:*:*:*:*:*:*",
"matchCriteriaId": "787FDFC6-E780-4F95-9E46-C5CF77E7EBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:2.6.0:preview2:*:*:*:*:*:*",
"matchCriteriaId": "49B6EEAA-B52E-42B9-A6C2-D65D7C81A0EC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "041F9200-4C01-4187-AE34-240E8277B54D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en la biblioteca OpenSSL en Ruby, en versiones anteriores a la 2.3.8, versiones 2.4.x anteriores a la 2.4.5, versiones 2.5.x anteriores a la 2.5.2 y versiones 2.6.x anteriores a la 2.6.0-preview3. Cuando dos objetos OpenSSL::X509::Name se comparan mediante ==, dependiendo del orden, los objetos que no son iguales podr\u00edan devolver \"true\". Cuando el primer argumento tiene un car\u00e1cter m\u00e1s que el segundo, o el segundo argumento contiene un car\u00e1cter que tiene uno menos que el car\u00e1cter en la misma posici\u00f3n que el primer argumento, el resultado de == ser\u00e1 \"true\". Esto podr\u00eda aprovecharse para crear un certificado ileg\u00edtimo que podr\u00eda ser aceptado como leg\u00edtimo y despu\u00e9s emplearse en operaciones de firma o cifrado."
}
],
"id": "CVE-2018-16395",
"lastModified": "2024-11-21T03:52:40.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-11-16T18:29:00.943",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"source": "cve@mitre.org",
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/387250"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/387250"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-7798
Vulnerability from fkie_nvd - Published: 2017-01-30 22:59 - Updated: 2026-05-13 00:24
Severity
Summary
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ruby-lang | openssl | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:openssl:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "5A99A902-22BC-4E8A-92CD-58A7ABA19A5E",
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism."
},
{
"lang": "es",
"value": "La openssl gem para Ruby utiliza el mismo vector de inicializaci\u00f3n (IV) en el modo GCM (aes - * - gcm) cuando el IV se establece en versiones anteriores a la clave, lo que facilita que los atacantes dependiendo del contexto eludan el mecanismo de protecci\u00f3n del cifrado."
}
],
"id": "CVE-2016-7798",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-30T22:59:00.747",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ruby/openssl/issues/49"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ruby/openssl/issues/49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2018-16395 (GCVE-0-2018-16395)
Vulnerability from cvelistv5 – Published: 2018-11-16 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
19 references
Date Public
2018-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T19:15:22.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16395",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"name": "https://hackerone.com/reports/387250",
"refsource": "MISC",
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190221-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16395",
"datePublished": "2018-11-16T18:00:00.000Z",
"dateReserved": "2018-09-03T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-7798 (GCVE-0-2016-7798)
Vulnerability from cvelistv5 – Published: 2017-01-30 22:00 – Updated: 2024-08-06 02:04
VLAI
Summary
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2016/09/30/6 | mailing-listx_refsource_MLIST |
| https://www.debian.org/security/2017/dsa-3966 | vendor-advisoryx_refsource_DEBIAN |
| https://github.com/ruby/openssl/commit/8108e0a6db… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2016/10/01/2 | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2016/09/19/9 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/93031 | vdb-entryx_refsource_BID |
| https://github.com/ruby/openssl/issues/49 | x_refsource_CONFIRM |
Date Public
2016-03-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:04:56.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ruby/openssl/issues/49"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-14T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/openssl/issues/49"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-7798",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"name": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062",
"refsource": "CONFIRM",
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93031"
},
{
"name": "https://github.com/ruby/openssl/issues/49",
"refsource": "CONFIRM",
"url": "https://github.com/ruby/openssl/issues/49"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-7798",
"datePublished": "2017-01-30T22:00:00.000Z",
"dateReserved": "2016-09-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T02:04:56.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16395 (GCVE-0-2018-16395)
Vulnerability from nvd – Published: 2018-11-16 18:00 – Updated: 2024-08-05 10:24
VLAI
Summary
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
19 references
Date Public
2018-10-17 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:24:32.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-10-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T19:15:22.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-16395",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/"
},
{
"name": "RHSA-2018:3738",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3738"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/"
},
{
"name": "RHSA-2018:3729",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"name": "https://hackerone.com/reports/387250",
"refsource": "MISC",
"url": "https://hackerone.com/reports/387250"
},
{
"name": "RHSA-2018:3730",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"name": "RHSA-2018:3731",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/"
},
{
"name": "DSA-4332",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4332"
},
{
"name": "USN-3808-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3808-1/"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190221-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190221-0002/"
},
{
"name": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/",
"refsource": "CONFIRM",
"url": "https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/"
},
{
"name": "[debian-lts-announce] 20181028 [SECURITY] [DLA 1558-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html"
},
{
"name": "1042105",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1042105"
},
{
"name": "openSUSE-SU-2019:1771",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"name": "RHSA-2019:1948",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1948"
},
{
"name": "RHSA-2019:2565",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2565"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-16395",
"datePublished": "2018-11-16T18:00:00.000Z",
"dateReserved": "2018-09-03T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:24:32.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-7798 (GCVE-0-2016-7798)
Vulnerability from nvd – Published: 2017-01-30 22:00 – Updated: 2024-08-06 02:04
VLAI
Summary
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2016/09/30/6 | mailing-listx_refsource_MLIST |
| https://www.debian.org/security/2017/dsa-3966 | vendor-advisoryx_refsource_DEBIAN |
| https://github.com/ruby/openssl/commit/8108e0a6db… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2016/10/01/2 | mailing-listx_refsource_MLIST |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| http://www.openwall.com/lists/oss-security/2016/09/19/9 | mailing-listx_refsource_MLIST |
| http://www.securityfocus.com/bid/93031 | vdb-entryx_refsource_BID |
| https://github.com/ruby/openssl/issues/49 | x_refsource_CONFIRM |
Date Public
2016-03-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:04:56.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ruby/openssl/issues/49"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-14T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93031"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/openssl/issues/49"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-7798",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/30/6"
},
{
"name": "DSA-3966",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-3966"
},
{
"name": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062",
"refsource": "CONFIRM",
"url": "https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062"
},
{
"name": "[oss-security] 20160930 Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/10/01/2"
},
{
"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"name": "[oss-security] 20160919 CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/19/9"
},
{
"name": "93031",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93031"
},
{
"name": "https://github.com/ruby/openssl/issues/49",
"refsource": "CONFIRM",
"url": "https://github.com/ruby/openssl/issues/49"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-7798",
"datePublished": "2017-01-30T22:00:00.000Z",
"dateReserved": "2016-09-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T02:04:56.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}