CVE Vulnerability

CVE-2021-32066

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.4 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a Patch Third Party Advisory
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ Vendor Advisory
https://hackerone.com/reports/1178562 Exploit Patch
https://security.netapp.com/advisory/ntap-20210902-0004/ Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Information

Published : 2021-08-01 07:15

Updated : 2022-05-10 06:03

NVD link : CVE-2021-32066

Mitre link : CVE-2021-32066

Products Affected

Ruby

Ruby-lang

CWE
CWE-326

Inadequate Encryption Strength