Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-16395

Опубликовано: 16 нояб. 2018
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Низкий

Описание

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:ruby-lang:openssl:*:*:*:*:*:ruby:*:*
Версия до 2.1.2 (исключая)
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
Версия от 2.3.0 (включая) до 2.3.7 (включая)
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
Версия от 2.4.0 (включая) до 2.4.4 (включая)
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
Версия от 2.5.0 (включая) до 2.5.1 (включая)
cpe:2.3:a:ruby-lang:ruby:2.6.0:preview1:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:2.6.0:preview2:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Конфигурация 4
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*

EPSS

Процентиль: 90%
0.05402
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2018-16395

CVSS3: 9.8
ubuntu
почти 7 лет назад

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

redhat логотип

CVE-2018-16395

CVSS3: 7.5
redhat
почти 7 лет назад

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

msrc логотип

CVE-2018-16395

CVSS3: 9.8
msrc
почти 5 лет назад

Описание отсутствует

debian логотип

CVE-2018-16395

CVSS3: 9.8
debian
почти 7 лет назад

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2 ...

github логотип

GHSA-mmrq-6999-72v8

CVSS3: 9.8
github
больше 3 лет назад

Ruby Openssl Allows Incorrect Value Comparison

EPSS

Процентиль: 90%
0.05402
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo