NVD Vulnerability Detail

CVE-2021-32066

Summary	An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Publication Date	Aug. 2, 2021, 4:15 a.m.
Registration Date	Aug. 2, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:06 p.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::					9.2.6.1

Related information, measures and tools

No	URL	タグ
1	https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a	Patch Third Party Advisory
2	https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a	Patch Third Party Advisory
3	https://hackerone.com/reports/1178562	Exploit Patch Third Party Advisory
4	https://hackerone.com/reports/1178562	Exploit Patch Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html	Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html	Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
8	https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
9	https://security.gentoo.org/glsa/202401-27
10	https://security.gentoo.org/glsa/202401-27
11	https://security.netapp.com/advisory/ntap-20210902-0004/	Third Party Advisory
12	https://security.netapp.com/advisory/ntap-20210902-0004/	Third Party Advisory
13	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
14	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
15	https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/	Vendor Advisory
16	https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-755	例外的な状態における不適切な処理	https://cwe.mitre.org/data/definitions/755.html

JVN Vulnerability Information

Ruby における暗号強度に関する脆弱性

Title	Ruby における暗号強度に関する脆弱性
Summary	Ruby には、暗号強度に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 7, 2021, midnight
Registration Date	Aug. 24, 2022, 11:27 a.m.
Last Update	Aug. 24, 2022, 11:27 a.m.

Affected System

オラクル

JD Edwards EnterpriseOne Tools

Ruby-lang.org

Ruby 2.6.7 まで

Ruby 2.7.3 までの 2.7.x

Ruby 3.0.1 までの 3.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-32066	https://www.cve.org/CVERecord?id=CVE-2021-32066
National Vulnerability Database (NVD)
2	CVE-2021-32066	https://nvd.nist.gov/vuln/detail/CVE-2021-32066
Ruby
3	CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP	https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-326	https://cwe.mitre.org/data/definitions/326.html

ベンダー情報

No	Name	URL
GitHub
1	Fix StartTLS stripping vulnerability	https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a
Oracle Critical Patch Update
2	Oracle Critical Patch Update Advisory - April 2022	https://www.oracle.com/security-alerts/cpuapr2022.html

その他

No	Name	URL
関連文書
1	1178562 (imap: StartTLS stripping attack (CVE-2016-0772))	https://hackerone.com/reports/1178562

Change Log

No	Changed Details	Date of change
1	[2022年08月24日] 掲載	Aug. 24, 2022, 11:27 a.m.