Unrated severityNVD Advisory· Published Aug 1, 2021· Updated Aug 3, 2024

CVE-2021-32066

Description

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

Affected products

Ruby/Net::IMAPdescription
osv-coords76 versions
pkg:bitnami/ruby pkg:bitnami/ruby-min pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bson pkg:rpm/almalinux/rubygem-bson-doc pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-bundler-doc pkg:rpm/almalinux/rubygem-did_you_mean pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mongo pkg:rpm/almalinux/rubygem-mongo-doc pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-net-telnet pkg:rpm/almalinux/rubygem-openssl pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-xmlrpc pkg:rpm/almalinux/ruby-irb pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4 pkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Micro%205.0 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/ruby&distro=SUSE%20WebYast%201.3
>= 2.6.0, < 2.6.8+ 75 more
- (no CPE)range: >= 2.6.0, < 2.6.8
- (no CPE)range: >= 2.6.0, < 2.6.8
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.7.4-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.4.0-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.4.0-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 2.0.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.3.0-108.module_el8.5.0+2623+08a8ba32
- (no CPE)range: < 0.5.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.3.0-137.module_el8.5.0+117+35d1289b
- (no CPE)range: < 5.13.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 0.2.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.1.2-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 13.0.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 6.2.1.1-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.1.6-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 3.3.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 0.3.0-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.5.9-109.module_el8.5.0+259+8cec6917
- (no CPE)range: < 2.7.4-137.module_el8.4.0+2515+f744ca41
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-4.20.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 2.5.9-150000.4.23.1
- (no CPE)range: < 1.8.7.p357-0.9.20.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/202401-27mitrevendor-advisory
lists.debian.org/debian-lts-announce/2021/10/msg00009.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlmitremailing-list
github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922amitre
hackerone.com/reports/1178562mitre
security.netapp.com/advisory/ntap-20210902-0004/mitre
www.oracle.com/security-alerts/cpuapr2022.htmlmitre
www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000