CVE-2021-32066

CVSS v3.1 7.4 (High)

CVSS v2.0 5.8 (Medium)

EPSS 0.24 % (65^th)

Affected Products 2

Advisories 26

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Weaknesses

CWE-755: Improper Handling of Exceptional Conditions

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2021-08-01 19:15:07
(3 years ago)
Updated Date: 2024-01-24 05:15:10
(7 months ago)

Affected Products

Oracle

Jd Edwards Enterpriseone Tools

Ruby-lang

Ruby

Configuration #1

	CPE23	From	Up To
Ruby-lang Ruby from 2.6.0 version and 2.6.7 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.6.0	<= 2.6.7
Ruby-lang Ruby from 2.7.0 version and 2.7.3 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.7.0	<= 2.7.3
Ruby-lang Ruby from 3.0.0 version and 3.0.1 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 3.0.0	<= 3.0.1

Configuration #2

		CPE23	From	Up To
	Oracle Jd Edwards Enterpriseone Tools prior 9.2.6.1 version	cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools		< 9.2.6.1