CVE-2021-32066
First published: Wed Jul 07 2021(Updated: )
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby27-ruby | <0:2.7.4-130.el7 | 0:2.7.4-130.el7 |
| redhat/rh-ruby30-ruby | <0:3.0.2-148.el7 | 0:3.0.2-148.el7 |
| redhat/rh-ruby26-ruby | <0:2.6.9-120.el7 | 0:2.6.9-120.el7 |
| redhat/ruby | <3.0.2 | 3.0.2 |
| redhat/ruby | <2.7.4 | 2.7.4 |
| redhat/ruby | <2.6.8 | 2.6.8 |
| redhat/rubygem-net-imap | <0.2.2 | 0.2.2 |
| Ruby | >=2.6.0<=2.6.7 | |
| Ruby | >=2.7.0<=2.7.3 | |
| Ruby | >=3.0.0<=3.0.1 | |
| Oracle JD Edwards EnterpriseOne Tools | <9.2.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-32066 https://nvd.nist.gov/vuln/detail/CVE-2021-32066 https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
- https://bugzilla.redhat.com/show_bug.cgi?id=1980128
- https://access.redhat.com/errata/RHSA-2021:3020
- https://access.redhat.com/errata/RHSA-2022:0543
- https://access.redhat.com/errata/RHSA-2022:0672
- https://access.redhat.com/errata/RHSA-2022:0581
- https://access.redhat.com/errata/RHSA-2022:0582
- https://access.redhat.com/errata/RHSA-2022:0544
- https://access.redhat.com/errata/RHSA-2021:3559
- https://access.redhat.com/errata/RHSA-2021:3982
- https://access.redhat.com/errata/RHSA-2022:0708
- https://access.redhat.com/security/cve/cve-2021-32066
- https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
- https://hackerone.com/reports/1178562
- https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://security.netapp.com/advisory/ntap-20210902-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
- https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
- https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
- https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
- https://git.ruby-lang.org/ruby.git/commit/?id=e2ac25d0eb66de99f098d6669cf4f06796aa6256
- https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980570
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980571
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980567
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980568
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1980569
- https://security.gentoo.org/glsa/202401-27
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-32066.
What is the severity of CVE-2021-32066?
The severity of CVE-2021-32066 is high with a CVSS score of 7.4.
Which software versions are affected by CVE-2021-32066?
Ruby versions through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1 are affected by CVE-2021-32066.
How can a man-in-the-middle attacker exploit CVE-2021-32066?
A man-in-the-middle attacker can exploit CVE-2021-32066 by using it to prevent Ruby applications using Net::IMAP from enabling TLS encryption for a connection.
Where can I find more information about CVE-2021-32066?
You can find more information about CVE-2021-32066 on the CVE website, NVD, Ruby's official website, and the Red Hat Bugzilla and Errata pages.
- collector/redhat-cve
- agent/type
- agent/author
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32066
- agent/software-canonical-lookup
- agent/references
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/ruby-lang
- canonical/ruby
- version/ruby/2.6.0
- version/ruby/2.6.7
- version/ruby/2.7.0
- version/ruby/2.7.3
- version/ruby/3.0.0
- version/ruby/3.0.1
- vendor/oracle
- canonical/oracle jd edwards enterpriseone tools