Skip to content

OpenSSL gem for Ruby using inadequate encryption strength

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Jul 3, 2023

Package

bundler openssl (RubyGems)

Affected versions

< 2.0.0

Patched versions

2.0.0

Description

The OpenSSL gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

References

Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Jul 3, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2016-7798

GHSA ID

GHSA-6h88-qjpv-p32m

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.