Skip to main content

Incorrect Comparison

CVE-2018-16395

Severity High
Score 9.8/10

Summary

An issue was discovered in the OpenSSL library in Ruby prior to 2.0.9, and 2.1.x prior to 2.1.2. When two "OpenSSL::X509::Name" objects are compared using "==", depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of "==" will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-697 - Incorrect Comparison

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Advisory Timeline

  • Published