RubySec

Providing security resources for the Ruby community

OSVDB-62067 (bcrypt): bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)

ADVISORIES

GEM

bcrypt

PATCHED VERSIONS

  • >= 2.1.4

DESCRIPTION

bcrypt-ruby Gem for Ruby suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by ‘?’ prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length. This issue only affects the JRuby implementation.