Name Comparison Vulnerability in OpenSSL Library by Ruby
CVE-2018-16395

9.8CRITICAL

Key Information:

Vendor: Ruby-lang
Status: Ruby; OpenSSL
Vendor: CVE Published:; 16 November 2018

What is CVE-2018-16395?

A flaw was identified in the OpenSSL library used by Ruby, where two OpenSSL::X509::Name objects can be incorrectly evaluated as equal under certain conditions. This occurs if the objects have characters that differ by one position or length. Consequently, it can lead to the creation of illegitimate certificates, which may be erroneously trusted, posing risks for signing and encryption operations.

References

https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509...

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2018:3738

vendor-advisoryx_refsource_REDHAT

https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-p...

x_refsource_CONFIRM

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 16, 2018
Vulnerability Reserved
Sep 3, 2018

Ruby-lang

What is CVE-2018-16395?

References

EPSS Score

CVSS V3.1

Timeline