CVE-2018-16395: Improper Certificate Validation
(updated )
When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
References
- www.securitytracker.com/id/1042105
- nvd.nist.gov/vuln/detail/CVE-2018-16395
- www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
- www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/
- www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/
- www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/
- www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/
Detect and mitigate CVE-2018-16395 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →