Lucene search

RubySecRUBY:TWEETSTREAM-2020-24393

HistoryApr 12, 2021 - 9:00 p.m.

Improper Certificate Validation in TweetStream

2021-04-1221:00:00

RubySec

securitylab.github.com

tweetstream

library eventmachine

insecure

tls hostname validation

man-in-the-middle

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

JSON

TweetStream 2.6.1 uses the library eventmachine in an insecure way that
does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle
attack.

References

securitylab.github.com/advisories/GHSL-2020-096-tweetstream-tweetstream/

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

JSON

Related for RUBY:TWEETSTREAM-2020-24393