GHSA-6hrm-jqp3-64cv

Suggest an improvement
Source
https://github.com/advisories/GHSA-6hrm-jqp3-64cv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-6hrm-jqp3-64cv/GHSA-6hrm-jqp3-64cv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6hrm-jqp3-64cv
Aliases
Published
2021-04-13T15:42:36Z
Modified
2023-11-08T04:03:07.210453Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Improper Certificate Validation in TweetStream
Details

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

Database specific 
{
    "nvd_published_at": "2021-02-19T23:15:00Z",
    "github_reviewed_at": "2021-03-29T22:54:38Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

RubyGems / tweetstream

Package

Name
tweetstream
Purl
pkg:gem/tweetstream

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.6.1

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.7
0.1.8
0.1.9
0.3.0

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0.rc1
1.1.0.rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1