#VU8121 Security restrictions bypass in RubyGems - CVE-2016-7798
Published: September 6, 2017
Vulnerability identifier: #VU8121
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7798
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
RubyGems
RubyGems
Software vendor:
Ruby
Ruby
Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key. A remote attacker can bypass the encryption protection mechanism and gain access to the system.
The weakness exists due to the openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key. A remote attacker can bypass the encryption protection mechanism and gain access to the system.
Remediation
Update to version 2.4.0.