ruby-lang/openssl: The latest CVE Vulnerabilities and Exploits for Penetration Test

 

Page content

ruby-lang/openssl Vulnerability Summary

  • Vendor name: ruby-lang
  • Product name: openssl
  • Total vulnerabilities: 2 (as 2023-05-04)

ruby-lang/openssl Vulnerability List

CVE-2018-16395: An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x…

Published: 2018-11-16T18:29:00 Last Modified: 2019-10-03T00:03:00

Summary

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Scores

  • Impact Score: 6.4
  • Exploitability Score: 10.0
  • CVSS: 7.5
  • CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact

  • Availability: PARTIAL
  • Confidentiality: PARTIAL
  • Integrity: PARTIAL

Access

  • Authentication: NONE
  • Complexity: LOW
  • Vector: NETWORK

Currently, there is no code for exploiting the CVE-2018-16395 vulnerability.

References

See also: All popular products CVE Vulnerabilities of ruby-lang

CVE-2016-7798: The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when…

Published: 2017-01-30T22:59:00 Last Modified: 2020-11-05T14:56:00

Summary

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

Common Weakness Enumeration (CWE): CWE-326: Inadequate Encryption Strength

CWE Description: The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Scores

  • Impact Score: 2.9
  • Exploitability Score: 10.0
  • CVSS: 5.0
  • CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact

  • Availability: NONE
  • Confidentiality: PARTIAL
  • Integrity: NONE

Access

  • Authentication: NONE
  • Complexity: LOW
  • Vector: NETWORK

Currently, there is no code for exploiting the CVE-2016-7798 vulnerability.

References

See also: All popular products CVE Vulnerabilities of ruby-lang