Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2018-16395

Published: 16/11/2018 Updated: 03/10/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Ruby-lang

Vulnerability Summary

An issue exists in the OpenSSL library in Ruby prior to 2.3.8, 2.4.x prior to 2.4.5, 2.5.x prior to 2.5.2, and 2.6.x prior to 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

ruby-lang ruby

ruby-lang ruby 2.6.0

ruby-lang openssl

canonical ubuntu linux 16.04

canonical ubuntu linux 18.10

canonical ubuntu linux 14.04

canonical ubuntu linux 18.04

debian debian linux 8.0

debian debian linux 9.0

redhat enterprise linux 7.4

Vendor Advisories

Debian CVElist Bug Report Logs: ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
Debian Bug report logs - #911918 ruby-openssl: CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly Package: src:ruby-openssl; Maintainer for src:ruby-openssl is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg&g ...
Ubuntu Security Notice: ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 vulnerabilities
Several security issues were fixed in Ruby ...
Red Hat: Important: rh-ruby24-ruby security, bug fix, and enhancement update
Synopsis Important: rh-ruby24-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby24-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: ruby security update
Synopsis Important: ruby security update Type/Severity Security Advisory: Important Topic An update for ruby is now available for Red Hat Enterprise Linux 74 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Red Hat: Important: rh-ruby23-ruby security, bug fix, and enhancement update
Synopsis Important: rh-ruby23-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby23-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: ruby security update
Synopsis Important: ruby security update Type/Severity Security Advisory: Important Topic An update for ruby is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...
Red Hat: Important: ruby security update
Synopsis Important: ruby security update Type/Severity Security Advisory: Important Topic An update for ruby is now available for Red Hat Enterprise Linux 75 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...
Red Hat: Important: rh-ruby25-ruby security, bug fix, and enhancement update
Synopsis Important: rh-ruby25-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby25-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Amazon Linux 2: ALAS2-2019-1143
An issue was discovered in the OpenSSL library in Ruby When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the f ...
Amazon Linux AMI: ALAS-2018-1113
An issue was discovered in the OpenSSL library in Ruby before 238, 24x before 245, 25x before 252, and 26x before 260-preview3 When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true When the first argument is one character longer than the second, or the second argumen ...
Red Hat: CVE-2018-16395
An issue was discovered in the OpenSSL library in Ruby before 238, 24x before 245, 25x before 252, and 26x before 260-preview3 When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true When the first argument is one character longer than the second, or the second argumen ...

Github Repositories

https://github.com/sonatype-nexus-community/cheque

Audit C/C++ projects (make, cmake, command line, etc.)

cheque Like wearing a toque in the winter, ensuring your software is secure should be second nature, eh Cheque helps you by finding all libraries used by your C/C++ projects, from A to Zed, and retrieving known vulnerabilities from OSS Index This process saves you a significant amount of labour and time, which is much better spent playing hockey, slamming back a two-four, dri

References

NVD-CWE-noinfohttps://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/https://lists.debian.org/debian-lts-announce/2018/10/msg00020.htmlhttps://hackerone.com/reports/387250https://www.debian.org/security/2018/dsa-4332https://usn.ubuntu.com/3808-1/http://www.securitytracker.com/id/1042105https://access.redhat.com/errata/RHSA-2018:3738https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3729https://security.netapp.com/advisory/ntap-20190221-0002/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttps://access.redhat.com/errata/RHSA-2019:1948https://access.redhat.com/errata/RHSA-2019:2565https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911918https://usn.ubuntu.com/3808-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook