CVE-2011-4121 — Inadequate Encryption Strength in Ruby

CWE-326 — Inadequate Encryption Strength CWE-330 — Use of Insufficiently Random Values5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 72.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Ruby Openssl Extension OF Ruby

Timeline

PublishedNov 26

Latest updateApr 22

Description

The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5openssl/openssl_extension_of_rubyversions after 2011-09-01 up to 2011-11-03

▶NVDruby-lang/ruby1.8.7.334 — 1.9.3

🔴Vulnerability Details

GHSA

GHSA-mjg4-5rfj-952f: The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private↗2022-04-22

▶

CVEList

CVE-2011-4121: The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private↗2019-11-26

▶

📋Vendor Advisories

Red Hat

extension): Insecure way of creation exponent value by private RSA key generation↗2011-11-03

▶

💬Community

Bugzilla

CVE-2011-4121 ruby (openssl extension): Insecure way of creation exponent value by private RSA key generation↗2011-11-07

▶