CVE-2021-32066

Summary

CVE	CVE-2021-32066
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-08-01 19:15:00 UTC
Updated	2024-01-24 05:15:00 UTC
Description	An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Risk And Classification

Problem Types: CWE-755

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All

References

Reference	Source	Link	Tags
Fix StartTLS stripping vulnerability · ruby/ruby@a21a3b7 · GitHub	CONFIRM	github.com
August 2021 Ruby Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Ruby: Multiple vulnerabilities (GLSA 202401-27) — Gentoo security		security.gentoo.org
HackerOne	MISC	hackerone.com
[SECURITY] [DLA 2780-1] ruby2.3 security update	MLIST	lists.debian.org
[SECURITY] [DLA 3408-1] jruby security update	MLIST	lists.debian.org
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP	CONFIRM	www.ruby-lang.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159326 Oracle Enterprise Linux Security Update for ruby:2.7 (ELSA-2021-3020)
159635 Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2022-0543)
159682 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2022-0672)
159692 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2022-0672-1)
178838 Debian Security Update for ruby2.3 (DLA 2780-1)
179051 Debian Security Update for ruby2.5 (DSA 5066-1)
179999 Debian Security Update for ruby2.7 (CVE-2021-32066)
181757 Debian Security Update for jruby (DLA 3408-1)
198440 Ubuntu Security Notification for Ruby vulnerabilities (USN-5020-1)
239536 Red Hat Update for ruby:2.7 (RHSA-2021:3020)
239644 Red Hat Update for rh-ruby27-ruby (RHSA-2021:3559)
239651 Red Hat Update for rh-ruby27-ruby (RHSA-2021:3559)
239736 Red Hat Update for rh-ruby30-ruby (RHSA-2021:3982)
240090 Red Hat Update for ruby:2.6 (RHSA-2022:0544)
240092 Red Hat Update for ruby:2.6 (RHSA-2022:0543)
240108 Red Hat Update for ruby:2.5 (RHSA-2022:0672)
240116 Red Hat Update for rh-ruby26-ruby security (RHSA-2022:0708)
240156 Red Hat Update for ruby:2.6 (RHSA-2022:0582)
281749 Fedora Security Update for ruby (FEDORA-2021-36cdab1f8d)
296060 Oracle Solaris 11.4 Support Repository Update (SRU) 37.0.1.101.1 Missing (CPUJUL2021)
356177 Amazon Linux Security Advisory for ruby : ALASRUBY3.0-2023-005
356272 Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-004
356464 Amazon Linux Security Advisory for ruby : ALAS2RUBY2.6-2023-004
356497 Amazon Linux Security Advisory for ruby : ALAS2RUBY3.0-2023-005
377094 Alibaba Cloud Linux Security Update for ruby:2.7 (ALINUX3-SA-2021:0054)
500616 Alpine Linux Security Update for ruby
504376 Alpine Linux Security Update for ruby
670728 EulerOS Security Update for ruby (EulerOS-SA-2021-2486)
670835 EulerOS Security Update for ruby (EulerOS-SA-2021-2721)
670875 EulerOS Security Update for ruby (EulerOS-SA-2021-2696)
671024 EulerOS Security Update for ruby (EulerOS-SA-2021-2673)
671027 EulerOS Security Update for ruby (EulerOS-SA-2021-2614)
690087 Free Berkeley Software Distribution (FreeBSD) Security Update for ruby (7ed5779c-e4c7-11eb-91d7-08002728f74c)
710844 Gentoo Linux Ruby Multiple Vulnerabilities (GLSA 202401-27)
751413 SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2021:3838-1)
751423 SUSE Enterprise Linux Security Update for ruby2.1 (SUSE-SU-2021:3837-1)
751432 OpenSUSE Security Update for ruby2.5 (openSUSE-SU-2021:3838-1)
751459 OpenSUSE Security Update for ruby2.5 (openSUSE-SU-2021:1535-1)
752103 SUSE Enterprise Linux Security Update for ruby2.5 (SUSE-SU-2022:1512-1)
900290 CBL-Mariner Linux Security Update for ruby 2.6.7
901267 Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (6861-1)
902811 Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (5019)
940383 AlmaLinux Security Update for ruby:2.7 (ALSA-2021:3020)
940455 AlmaLinux Security Update for ruby:2.6 (ALSA-2022:0543)
940459 AlmaLinux Security Update for ruby:2.5 (ALSA-2022:0672)
960315 Rocky Linux Security Update for ruby:2.7 (RLSA-2021:3020)
960814 Rocky Linux Security Update for ruby:2.6 (RLSA-2022:0543)
960817 Rocky Linux Security Update for ruby:2.5 (RLSA-2022:0672)