GHSA-7359-3c6r-hfc2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7359-3c6r-hfc2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-7359-3c6r-hfc2/GHSA-7359-3c6r-hfc2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7359-3c6r-hfc2
- Aliases
- Published
- 2021-04-22T16:22:15Z
- Modified
- 2023-11-08T03:58:21.880410Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Improper Certificate Validation in oauth ruby gem
- Details
-
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
- Database specific
{ "nvd_published_at": "2020-09-24T20:15:00Z", "github_reviewed_at": "2021-04-20T18:23:58Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-295" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-11086
- https://github.com/oauth-xx/oauth-ruby/issues/137
- https://github.com/oauth-xx/oauth-ruby/commit/eb5b00a91d4ef0899082fdba929c34ccad6d4ccb
- https://github.com/oauth-xx/oauth-ruby
- https://github.com/oauth-xx/oauth-ruby/releases/tag/v0.5.5
- https://rubygems.org/gems/oauth
Affected packages
RubyGems / oauth
Package
- Name
- oauth
- Purl
- pkg:gem/oauth