Home

CVE-2018-16395

Description

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
4.424

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2018-16395 are fixed in Openssl 2.0.9Windows
Vulnerabilities CVE-2018-16395 are fixed in Openssl 2.1.2Windows
ruby2.3 security update(DSA-4332-1) ruby2.3_2.3.3-1+deb9u4_i386.debLinux
ruby2.3 security update(DSA-4332-1) ruby2.3_2.3.3-1+deb9u4_amd64.debLinux
Ruby security update (CESA-2018:3738) ruby-2.0.0.648-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) ruby-doc-2.0.0.648-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) ruby-irb-2.0.0.648-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) rubygems-2.0.14.1-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) ruby-libs-2.0.0.648-34.el7_6.i686.rpmLinux
Ruby security update (CESA-2018:3738) ruby-libs-2.0.0.648-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) ruby-devel-2.0.0.648-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-json-1.7.7-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-rake-0.9.6-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-rdoc-4.0.0-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-psych-2.0.0-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) rubygems-devel-2.0.14.1-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-minitest-4.3.2-34.el7_6.noarch.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpmLinux
Ruby security update (CESA-2018:3738) rubygem-io-console-0.4.2-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update ruby-2.0.0.648-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update ruby-devel-2.0.0.648-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update ruby-doc-2.0.0.648-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update ruby-irb-2.0.0.648-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update ruby-libs-2.0.0.648-34.el7_6.i686.rpmLinux
(RHSA-2018:3738) ruby security update ruby-libs-2.0.0.648-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update ruby-tcltk-2.0.0.648-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-bigdecimal-1.2.0-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-io-console-0.4.2-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-json-1.7.7-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-minitest-4.3.2-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-psych-2.0.0-34.el7_6.x86_64.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-rake-0.9.6-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update rubygem-rdoc-4.0.0-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update rubygems-2.0.14.1-34.el7_6.noarch.rpmLinux
(RHSA-2018:3738) ruby security update rubygems-devel-2.0.14.1-34.el7_6.noarch.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
CVE-2018-16395NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234