- Vendor Advisory
- >= 2.1.4
In https://security.snyk.io/vuln/SNYK-RUBY-BCRYPT-20009, found "The advisory has been revoked - it doesn’t affect any version of package bcrypt"
bcrypt-ruby Gem for Ruby suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by ‘?’ prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length.
This issue only affects the JRuby implementation.