CVE-2021-32066 - log back

CVE-2021-32066 edited at 16 Jul 2021 08:34:29
Description
- A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.”
+ A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack”.
CVE-2021-32066 edited at 07 Jul 2021 12:58:25
Severity
- Unknown
+ High
Remote
- Unknown
+ Remote
Type
- Unknown
+ Silent downgrade
Description
+ A security issue has been discovered in Ruby before versions 3.0.2, 2.7.4 and 2.6.8. Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.”
References
+ https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
+ https://hackerone.com/reports/1178562
+ https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891
Notes
CVE-2021-32066 created at 07 Jul 2021 12:53:38