cbcvebase.
CVE-2021-32066
published 2021-08-01

CVE-2021-32066: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an…

PriorityP347high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
2.91%
85.2th percentile
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Affected

11 ranges
VendorProductVersion rangeFixed in
debianjruby< jruby 9.3.9.0+ds-1 (bookworm)jruby 9.3.9.0+ds-1 (bookworm)
debianruby2.7< jruby 9.3.9.0+ds-1 (bookworm)jruby 9.3.9.0+ds-1 (bookworm)
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
msrccbl2_ruby_2.7.4-1_on_cbl_mariner_2.0
msrccm1_ruby_2.6.7-2_on_cbl_mariner_1.0
oraclejd_edwards_enterpriseone_tools< 9.2.6.19.2.6.1
ruby-langruby2.6.0 – 2.6.7
ruby-langruby2.7.0 – 2.7.3
ruby-langruby3.0.0 – 3.0.1

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.4HIGH
vendor_debian7.4HIGH
vendor_msrc7.4HIGH
vendor_oracle7.4HIGH
vendor_redhat7.4HIGH
vendor_ubuntu7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.