GHSA-mmrq-6999-72v8

Suggest an improvement
Source
https://github.com/advisories/GHSA-mmrq-6999-72v8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mmrq-6999-72v8/GHSA-mmrq-6999-72v8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mmrq-6999-72v8
Aliases
Published
2022-05-13T01:50:20Z
Modified
2024-03-15T05:19:53.147331Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Ruby Openssl Allows Incorrect Value Comparison
Details

An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

References

Affected packages

RubyGems / openssl

Package

Name
openssl
Purl
pkg:gem/openssl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.9

Affected versions

2.*

2.0.0.beta.1
2.0.0.beta.2
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8

RubyGems / openssl

Package

Name
openssl
Purl
pkg:gem/openssl

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.2

Affected versions

2.*

2.1.0
2.1.1