Incorrect Comparison

CVE-2018-16395

High

9.8/10

Summary

An issue was discovered in the OpenSSL library in Ruby prior to 2.0.9, and 2.1.x prior to 2.1.2. When two "OpenSSL::X509::Name" objects are compared using "==", depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of "==" will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-697 - Incorrect Comparison

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

References

Advisory Timeline

Published Nov 16, 2018

Incorrect Comparison

CVE-2018-16395

Summary

CWE-697 - Incorrect Comparison

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS