CVE-2021-32066 log

Source
Severity High
Remote Yes
Type Silent downgrade
Description
A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack”.
Group Package Affected Fixed Severity Status Ticket
AVG-2141 logstash 7.10.1-1 High Vulnerable
AVG-2140 ruby2.6 2.6.7-1 2.6.8-1 High Fixed
AVG-2139 ruby2.7 2.7.3-1 2.7.4-1 High Fixed
AVG-2138 ruby 3.0.1-1 3.0.2-1 High Fixed
AVG-1906 jruby 9.2.19.0-1 9.3.0.0-1 High Fixed
Date Advisory Group Package Severity Type
14 Jul 2021 ASA-202107-25 AVG-2140 ruby2.6 High multiple issues
14 Jul 2021 ASA-202107-24 AVG-2139 ruby2.7 High multiple issues
14 Jul 2021 ASA-202107-23 AVG-2138 ruby High multiple issues
References
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://hackerone.com/reports/1178562
https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891