CVE-2018-16395 – openssl

Package

Manager: gem
Name: openssl
Vulnerable Version: >=0 <2.0.9 || >=2.1.0 <2.1.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.05305 pctl0.89641

Details

Ruby Openssl Allows Incorrect Value Comparison An issue was discovered in the OpenSSL library in Ruby when two `OpenSSL::X509::Name` objects are compared using `==`, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of `==` will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Metadata

Created: 2022-05-13T01:50:20Z
Modified: 2023-07-24T20:06:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mmrq-6999-72v8/GHSA-mmrq-6999-72v8.json
CWE IDs: []
Alternative ID: GHSA-mmrq-6999-72v8
Finding: F184
Auto approve: 1