A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-1595 A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
Fixes

Solution

No solution given by the vendor.


Workaround

See the following possible mitigations for this flaw: * Do not use the methods with PKCS#1v1.5 padding in network contexts. Make sure that any calls that happen, will perform OAEP decryption only. Do not support PKCS#1v1.5 encryption padding at all. * Use Ruby with a version of OpenSSL that has the implicit rejection mechanism implemented.(https://github.com/openssl/openssl/pull/13817, https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7 included in 3.2.0, backported to RHEL-8)

History

Fri, 21 Feb 2025 18:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Feb 2025 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 09 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 09 Jan 2025 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service.
Title Ruby: openssl: ruby marvin attack
First Time appeared Redhat
Redhat enterprise Linux
Redhat storage
Weaknesses CWE-385
CPEs cpe:/a:redhat:storage:3
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat storage
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-25T17:09:52.516Z

Reserved: 2025-01-07T11:23:31.713Z

Link: CVE-2025-0306

cve-icon Vulnrichment

Updated: 2025-02-21T18:03:34.267Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-01-09T04:15:13.000

Modified: 2025-02-21T18:15:19.290

Link: CVE-2025-0306

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-06-24T00:00:00Z

Links: CVE-2025-0306 - Bugzilla

cve-icon OpenCVE Enrichment

No data.