CVE-2021-32066

Published: 15 July 2021

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Priority

CVSS 3 base score: 7.4

Status

Package	Release	Status
ruby1.9.1 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
ruby2.0 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
ruby2.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (2.3.1-2~ubuntu16.04.16+esm1)
ruby2.5 Launchpad, Ubuntu, Debian	bionic	Released (2.5.1-1ubuntu1.10)
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
ruby2.7 Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Released (2.7.0-5ubuntu1.5)
	groovy	Released (2.7.1-3ubuntu1.4)
	hirsute	Released (2.7.2-4ubuntu1.2)
	impish	Released (2.7.4-1ubuntu1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist

Security

CVE-2021-32066

Medium

Status

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading