Vulnerability identifier: #VU15724
Vulnerability risk: Low
Exploitation vector: Network
Exploit availability: No
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists in OpenSSL::X509::Name due to the equality check is not correct if the value of an entity of the argument (right-hand side) starts with the value of the receiver (left-hand side). A remote attacker can supply malicious X.509 certificate to be passed and bypass security restrictions to conduct further attacks.
The vulnerability has been fixed in the versions 2.3.8, 2.4.5, 2.5.2.
Vulnerable software versions
Ruby: 2.2.3 - 2.6.0-preview2
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?