CVE-2016-7798

Published: Jan 30, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

Affected (3)

Products: Ruby Lang: Openssl · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Openssl	Before 2.0.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (16)

http://www.openwall.com/lists/oss-security/2016/09/19/9

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.openwall.com/lists/oss-security/2016/09/30/6

Source: cve@mitre.org

Mailing ListPatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2016/10/01/2

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/93031

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/ruby/openssl/issues/49

Source: cve@mitre.org

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://www.debian.org/security/2017/dsa-3966

Source: cve@mitre.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2016/09/19/9