Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2014-2734

Published: 24/04/2014 Updated: 11/04/2024
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Ruby

Vulnerability Summary

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote malicious users to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher

Vulnerable Product Search on Vulmon Subscribe to Product

ruby-lang ruby 2.0.0

ruby-lang ruby 2.1.1

ruby-lang ruby 2.0

ruby-lang ruby 2.1

Vendor Advisories

Red Hat: CVE-2014-2734
** DISPUTED ** The openssl extension in Ruby 2x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations NOTE: this issue has been disputed ...

Github Repositories

https://github.com/gdisneyleugers/CVE-2014-2734

Ruby OpenSSL CA Private Key Spoofing

CVE-2014-2734 Ruby OpenSSL CA Private Key Spoofing ============= Ruby openssl has a vulnerability when a public key is a issued prior writing to private key and is reopened during a script it spoofs a CA private key PoC script gistgithubcom/10446549 Mitre: cvemitreorg/cgi-bin/cvenamecgi?name=2014-2734 SecurityFocus: wwwsecurityfocuscom/bid/66956

References

CWE-399http://seclists.org/fulldisclosure/2014/Apr/231http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.htmlhttps://gist.github.com/10446549https://github.com/adrienthebo/cve-2014-2734/https://gist.github.com/emboss/91696b56cd227c8a0c13http://www.osvdb.org/106006http://www.securityfocus.com/bid/66956https://news.ycombinator.com/item?id=7601973http://seclists.org/fulldisclosure/2014/May/13https://www.ruby-lang.org/en/news/2014/05/09/dispute-of-vulnerability-cve-2014-2734/https://nvd.nist.govhttps://github.com/gdisneyleugers/CVE-2014-2734https://access.redhat.com/security/cve/cve-2014-2734
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook