CVE-2018-16395 High Severity Vulnerability detected by WhiteSource #1
Description
CVE-2018-16395 - High Severity Vulnerability
Vulnerable Library - openssl-2.0.3.gem
It wraps the OpenSSL library.
path: /gems/2.3.0/cache/openssl-2.0.3.gem
Library home page: https://rubygems.org/gems/openssl-2.0.3.gem
Dependency Hierarchy:
- ❌ openssl-2.0.3.gem (Vulnerable Library)
Vulnerability Details
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Publish Date: 2018-11-16
URL: CVE-2018-16395
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1042105
Fix Resolution: The vendor has issued a source code fix (r65139) [in October 2018].
The vendor advisory is available at:
Step up your Open Source Security Game with WhiteSource here