ADVISORIES
- OSVDB-62067
- Vendor Advisory
GEM
PLATFORM
PATCHED VERSIONS
- >= 2.1.4
DESCRIPTION
bcrypt-ruby Gem for Ruby suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by ‘?’ prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length. This issue only affects the JRuby implementation.