** DISPUTED ** The openssl extension in Ruby 2.x does not properly
maintain the state of process memory after a file is reopened, which
allows remote attackers to spoof signatures within the context of a
Ruby script that attempts signature verification after performing a
certain sequence of filesystem operations. NOTE: this issue has been
disputed by the Ruby OpenSSL team and third parties, who state that
the original demonstration PoC contains errors and redundant or
unnecessarily-complex code that does not appear to be related to a
demonstration of the issue. As of 20140502, CVE is not aware of any
public comment by the original researcher.
Note:References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FULLDISC:20140416 Ruby OpenSSL private key spoofing ~ CVE-2014-2734 with PoC
Disclaimer: The entry creation date may reflect when
the CVE-ID was allocated or reserved, and does not
necessarily indicate when this vulnerability was
discovered, shared with the affected vendor, publicly
disclosed, or updated in CVE.
This is an entry on the CVE
list, which standardizes names for security