7.4

CVE-2021-32066

Exploit

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Data is provided by the National Vulnerability Database (NVD)
Ruby-langRuby Version >= 2.6.0 <= 2.6.7
Ruby-langRuby Version >= 2.7.0 <= 2.7.3
Ruby-langRuby Version >= 3.0.0 <= 3.0.1
OracleJd Edwards Enterpriseone Tools Version < 9.2.6.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.07% 0.23
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.4 2.2 5.2
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 5.8 8.6 4.9
AV:N/AC:M/Au:N/C:P/I:P/A:N
CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

https://hackerone.com/reports/1178562
Patch
Third Party Advisory
Exploit