cbcvebase.
CVE-2018-16395
published 2018-11-16

CVE-2018-16395: An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two…

PriorityP351critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.71%
95.3th percentile
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_openssl_1.1.1k-5_on_cbl_mariner_1.0
opensslopenssl>= 0 < 2.0.92.0.9
opensslopenssl>= 2.1.0 < 2.1.22.1.2
redhatenterprise_linux
ruby-langopenssl< 2.1.22.1.2
ruby-langruby
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0
ruby-langruby>= 0 < 2.5.2-r02.5.2-r0

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.