GHSA-6hrm-jqp3-64cv

Source

https://github.com/advisories/GHSA-6hrm-jqp3-64cv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-6hrm-jqp3-64cv/GHSA-6hrm-jqp3-64cv.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6hrm-jqp3-64cv

Aliases

CVE-2020-24393

Published

2021-04-13T15:42:36Z

Modified

2023-11-01T04:52:35.493097Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Certificate Validation in TweetStream

Details

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

Database specific

{
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2021-02-19T23:15:00Z",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T22:54:38Z"
}

References

Affected packages

RubyGems / tweetstream

Package

Name: tweetstream
Purl: pkg:gem/tweetstream

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.6.1

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.7

0.1.8

0.1.9

0.3.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.1.0.rc1

1.1.0.rc2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.6.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-6hrm-jqp3-64cv/GHSA-6hrm-jqp3-64cv.json"