Vulnerabilities > CVE-2021-32066 - Improper Handling of Exceptional Conditions vulnerability in multiple products

CVSS 7.4 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

ruby-lang

oracle

CWE-755

NVD

Published: 2021-08-01

Updated: 2024-01-24

Summary

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Vulnerable Configurations

Part	Description	Count
Application	Ruby-Lang Ruby Lang Ruby 3.0.0 Ruby Lang Ruby 2.7.0 Ruby Lang Ruby 2.6.0 Ruby Lang Ruby 2.6.1 Ruby Lang Ruby 2.6.2 Ruby Lang Ruby 2.6.3 Ruby Lang Ruby 2.6.4 Ruby Lang Ruby 2.6.5 Ruby Lang Ruby 2.6.6 Ruby Lang Ruby 2.6.7	20
Application	Oracle Oracle JD Edwards Enterpriseone Tools - Oracle JD Edwards Enterpriseone Tools 4.0.1.0 Oracle JD Edwards Enterpriseone Tools 9.1 Oracle JD Edwards Enterpriseone Tools 9.1.5 Oracle JD Edwards Enterpriseone Tools 9.2 Oracle JD Edwards Enterpriseone Tools 9.2.4.0 Oracle JD Edwards Enterpriseone Tools 9.2.4.2 Oracle JD Edwards Enterpriseone Tools 9.2.5.0 Oracle JD Edwards Enterpriseone Tools 9.2.5.3 Oracle JD Edwards Enterpriseone Tools 9.2.6.0 Oracle JD Edwards Enterpriseone Tools 9.2.6.1	11

Common Weakness Enumeration (CWE)

CWE-755 - Improper Handling of Exceptional Conditions

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References