PT-2021-3883 · Ruby+10 · Ruby+10
Published
2021-04-28
·
Updated
2025-12-12
·
CVE-2021-32066
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Ruby versions 2.6.7 and earlier, 2.7.x through 2.7.3, and 3.x through 3.0.1
Description
The issue is related to the implementation of the Net::IMAP class in the Ruby interpreter, specifically with errors in the certificate authentication procedure when handling the STARTTLS command. This might allow a remote attacker to perform a man-in-the-middle attack by blocking the StartTLS command, also known as a "StartTLS stripping attack".
Recommendations
For Ruby versions 2.6.7 and earlier: update to a version later than 2.6.7.
For Ruby versions 2.7.x through 2.7.3: update to a version later than 2.7.3.
For Ruby versions 3.x through 3.0.1: update to a version later than 3.0.1.
As a temporary workaround, consider disabling the
Net::IMAP class until a patch is available.
Restrict access to the STARTTLS command to minimize the risk of exploitation.Exploit
Fix
Improper Certificate Validation
Cleartext Transmission of Sensitive Information
Improper Handling of Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Ruby
Suse
Ubuntu