Insecure Initialization Vector

Affecting openssl gem, versions <2.0.0

Do your applications use this vulnerable package? Test your applications

Overview

openssl is a package that wraps the OpenSSL library.

Affected versions of this package are vulnerable to Insecure Initialization Vector. The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

Remediation

Upgrade openssl to version 2.0.0 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2016-7798
CWE
CWE-310
Snyk ID
SNYK-RUBY-OPENSSL-451556
Disclosed
30 Jan, 2017
Published
08 Jul, 2019