7.5

CVE-2016-7798

Exploit
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ruby-langOpenssl SwPlatformruby Version < 2.0.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.17% 0.863
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2016/09/19/9
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2016/09/30/6
Patch
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2016/10/01/2
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/93031
Third Party Advisory
VDB Entry
https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
Patch
Third Party Advisory
https://github.com/ruby/openssl/issues/49
Third Party Advisory
Exploit
https://www.debian.org/security/2017/dsa-3966
Third Party Advisory