vulnerability
Oracle Linux: CVE-2021-32066: ELSA-2021-3020: ruby:2.7 security update (IMPORTANT) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Jul 7, 2021 | Aug 7, 2021 | Dec 3, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Jul 7, 2021
Added
Aug 7, 2021
Modified
Dec 3, 2025
Description
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection to an IMAP server and subsequently eavesdrop on or modify data sent over the plain text connection.
Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection to an IMAP server and subsequently eavesdrop on or modify data sent over the plain text connection.
Solutions
oracle-linux-upgrade-rubyoracle-linux-upgrade-ruby-default-gemsoracle-linux-upgrade-ruby-develoracle-linux-upgrade-ruby-docoracle-linux-upgrade-rubygem-abrtoracle-linux-upgrade-rubygem-abrt-docoracle-linux-upgrade-rubygem-bigdecimaloracle-linux-upgrade-rubygem-bsonoracle-linux-upgrade-rubygem-bson-docoracle-linux-upgrade-rubygem-bundleroracle-linux-upgrade-rubygem-bundler-docoracle-linux-upgrade-rubygem-did-you-meanoracle-linux-upgrade-rubygem-io-consoleoracle-linux-upgrade-rubygem-irboracle-linux-upgrade-rubygem-jsonoracle-linux-upgrade-rubygem-minitestoracle-linux-upgrade-rubygem-mongooracle-linux-upgrade-rubygem-mongo-docoracle-linux-upgrade-rubygem-mysql2oracle-linux-upgrade-rubygem-mysql2-docoracle-linux-upgrade-rubygem-net-telnetoracle-linux-upgrade-rubygem-openssloracle-linux-upgrade-rubygem-pgoracle-linux-upgrade-rubygem-pg-docoracle-linux-upgrade-rubygem-power-assertoracle-linux-upgrade-rubygem-psychoracle-linux-upgrade-rubygem-rakeoracle-linux-upgrade-rubygem-rdocoracle-linux-upgrade-rubygemsoracle-linux-upgrade-rubygems-develoracle-linux-upgrade-rubygem-test-unitoracle-linux-upgrade-rubygem-xmlrpcoracle-linux-upgrade-ruby-irboracle-linux-upgrade-ruby-libs
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.