Man-in-the-Middle Vulnerability in OAuth-Ruby Gem by Ruby
CVE-2016-11086

7.4HIGH

Key Information:

Vendor

Oauth-ruby Project

Status
Oauth-ruby
Vendor
CVE Published:
24 September 2020

What is CVE-2016-11086?

The oauth-ruby gem prior to version 0.5.4 is susceptible to a man-in-the-middle vulnerability due to insufficient verification of X.509 certificates. When a certificate bundle is unavailable, the gem fails to validate server certificates, allowing attackers to impersonate servers and intercept sensitive data. This flaw poses significant security risks for applications relying on this library for authentication and authorization processes, making it crucial to implement appropriate security measures.

References

https://github.com/oauth-xx/oauth-ruby/issues/137
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.