CVE-2021-32066Improper Handling of Exceptional Conditions in Ruby

CWE-755Improper Handling of Exceptional ConditionsCWE-326Inadequate Encryption StrengthCWE-319Cleartext Transmission of Sensitive Info10 documents9 sources
Severity
7.4HIGHNVD
EPSS
0.1%
top 77.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
JrubyOracle JD Edwards Enterpriseone ToolsRuby-lang Ruby
Timeline
PublishedAug 1
Latest updateMay 24

Description

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

Debianjruby/jruby< 9.3.9.0+ds-1+2
NVDruby-lang/ruby2.6.02.6.7+2

Patches

Patch: github.comPatch: hackerone.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-gx49-h5r3-q3xj: An issue was discovered in Ruby through 22022-05-24
OSV
CVE-2021-32066: An issue was discovered in Ruby through 22021-08-01
CVEList
CVE-2021-32066: An issue was discovered in Ruby through 22021-08-01
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities2021-07-21

📋Vendor Advisories

5
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech-Cloud (Ruby) — CVE-2021-320662022-04-15
Microsoft
An issue was discovered in Ruby through 2.6.7 2.7.x through 2.7.3 and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response which might allow man-in-2021-08-10
Ubuntu
Ruby vulnerabilities2021-07-21
Red Hat
ruby: StartTLS stripping vulnerability in Net::IMAP2021-07-07
Debian
CVE-2021-32066: jruby - An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x thro...2021
CVE-2021-32066 — Ruby-lang Ruby vulnerability | cvebase