Is CVE-2014-2734 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 5%.

What products does CVE-2014-2734 affect?

Tracked products affected include Ruby. Check the version you run to see whether it is affected.

How do I fix CVE-2014-2734?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2014-2734

Q: What is CVE-2014-2734?

CVE-2014-2734 is a medium-severity software vulnerability (CWE-399) with a CVSS score of 5.8. The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification af

MEDIUM severity · CVSS 5.8 · CWE-399

5.8CVSS MEDIUM

Summary

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impact—

Integrity impact—

Availability impactNone

Exploit probability (EPSS)5%

AV:N/AC:M/Au:N/C:P/I:P/A:N

Affected products we track (1)

Ruby

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

CVE-2014-2734

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information