StartTLS Vulnerability in Ruby's IMAP Library Affecting Various Versions
CVE-2021-32066

7.4HIGH

Key Information:

Vendor: Ruby-lang
Status: Ruby
Vendor: CVE Published:; 1 August 2021

What is CVE-2021-32066?

A vulnerability in the Net::IMAP component of Ruby allows man-in-the-middle attackers to exploit the lack of exception raising when StartTLS fails due to an unknown response. This oversight can lead to a StartTLS stripping attack, enabling an attacker positioned between the client and the server to inhibit the StartTLS command, compromising the encrypted communication channel intended to protect sensitive data.

References

https://hackerone.com/reports/1178562

https://lists.debian.org/debian-lts-announce/2021/10/msg0...

mailing-list

https://www.oracle.com/security-alerts/cpuapr2022.html

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 1, 2021
Vulnerability Reserved
May 6, 2021

Ruby-lang

What is CVE-2021-32066?

References

CVSS V3.1

Timeline