CVE-2018-16395

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.3.8 Ruby versions 2.4.x prior to 2.4.5 Ruby versions 2.5.x prior to 2.5.2 Ruby versions 2.6.x prior to 2.6.0-preview3

Description The issue is related to the comparison of two OpenSSL::X509::Name objects using the == operator, which may return true for non-equal objects depending on the ordering. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations. The vulnerability is associated with errors in data processing and could allow a remote attacker to forge an X509 certificate.

Recommendations For Ruby versions prior to 2.3.8, update to version 2.3.8 or later. For Ruby versions 2.4.x prior to 2.4.5, update to version 2.4.5 or later. For Ruby versions 2.5.x prior to 2.5.2, update to version 2.5.2 or later. For Ruby versions 2.6.x prior to 2.6.0-preview3, update to version 2.6.0-preview3 or later.