VDB

ALPINE-CVE-2018-16395

ALPINE-CVE-2018-16395 PUBLISHED CVSS 9.800000190734863 CRITICAL

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.

Risk Scores

CVSS 3.0
9.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.14ruby2.3.0, 0, 2.5.1-r2
Alpine:v3.9ruby2.3.0, 2.3.3-r2, 2.3.3-r3
Alpine:v3.22ruby0, 0, 0
Alpine:v3.17ruby2.3.3-r1, 2.3.0, 0
Alpine:v3.4ruby*, 1.8.7_p352-r2, 1.8.7_p299-r1
Alpine:v3.23ruby0, 0, 0
Alpine:v3.12ruby2.0.0, 1.8.7_p174-r0, 1.8.7_p174-r1
Alpine:v3.11ruby0, 2.4.1-r1, 2.4.1-r2
Alpine:v3.19ruby2.4.2-r1, 0, 1.8.7
Alpine:v3.13ruby2.5.0-r0, 2.4.3-r0, 2.4.2-r1
Alpine:v3.16ruby1.8.7_p160-r2, 2.3.0, 0
Alpine:v3.8ruby1.9.3_p392-r0, *, *
Alpine:v3.20ruby0, 0, 0
Alpine:v3.21ruby0, 0, 0
Alpine:v3.18ruby2.0.0_p247-r0, 2.3.0, 0
Alpine:v3.7ruby2.2.3-r1, 2.3.0, 0
Alpine:v3.6ruby1.8.7, 2.0.0_p353-r1, 2.0.0_p353-r2
Alpine:v3.15ruby2.5.0-r1, 2.3.1-r1, 2.3.1-r2
Alpine:v3.24ruby2.3.0, 0
Alpine:v3.5ruby1.8.7, 1.8.7, 1.8.7

Timeline

  • Nov 16, 2018 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›