VDB
ALPINE-CVE-2018-16395
ALPINE-CVE-2018-16395
PUBLISHED
CVSS 9.800000190734863 CRITICAL
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
Risk Scores
CVSS 3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.14 | ruby | 2.3.0, 0, 2.5.1-r2 |
| Alpine:v3.9 | ruby | 2.3.0, 2.3.3-r2, 2.3.3-r3 |
| Alpine:v3.22 | ruby | 0, 0, 0 |
| Alpine:v3.17 | ruby | 2.3.3-r1, 2.3.0, 0 |
| Alpine:v3.4 | ruby | *, 1.8.7_p352-r2, 1.8.7_p299-r1 |
| Alpine:v3.23 | ruby | 0, 0, 0 |
| Alpine:v3.12 | ruby | 2.0.0, 1.8.7_p174-r0, 1.8.7_p174-r1 |
| Alpine:v3.11 | ruby | 0, 2.4.1-r1, 2.4.1-r2 |
| Alpine:v3.19 | ruby | 2.4.2-r1, 0, 1.8.7 |
| Alpine:v3.13 | ruby | 2.5.0-r0, 2.4.3-r0, 2.4.2-r1 |
| Alpine:v3.16 | ruby | 1.8.7_p160-r2, 2.3.0, 0 |
| Alpine:v3.8 | ruby | 1.9.3_p392-r0, *, * |
| Alpine:v3.20 | ruby | 0, 0, 0 |
| Alpine:v3.21 | ruby | 0, 0, 0 |
| Alpine:v3.18 | ruby | 2.0.0_p247-r0, 2.3.0, 0 |
| Alpine:v3.7 | ruby | 2.2.3-r1, 2.3.0, 0 |
| Alpine:v3.6 | ruby | 1.8.7, 2.0.0_p353-r1, 2.0.0_p353-r2 |
| Alpine:v3.15 | ruby | 2.5.0-r1, 2.3.1-r1, 2.3.1-r2 |
| Alpine:v3.24 | ruby | 2.3.0, 0 |
| Alpine:v3.5 | ruby | 1.8.7, 1.8.7, 1.8.7 |
Timeline
- Nov 16, 2018 CVE Published
- Apr 30, 2026 Distribution Patch
- Jul 8, 2026 CVE Updated