OSVDB-62067: Bug reduced the entropy of hashed passwords containing non US-ASCII characters

February 1, 2010

This package suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by ‘?’ prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length. This issue only affects the JRuby implementation.

References

github.com/codahale/bcrypt-ruby/commit/92c8e4e3760d089e494b7a3ac1faa563681868c7
github.com/rubysec/ruby-advisory-db/blob/master/gems/bcrypt-ruby/OSVDB-62067.yml

Detect and mitigate OSVDB-62067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →