GHSA-p6p8-q4pj-f74m

Suggest an improvement
Source
https://github.com/advisories/GHSA-p6p8-q4pj-f74m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-p6p8-q4pj-f74m/GHSA-p6p8-q4pj-f74m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-p6p8-q4pj-f74m
Aliases
Published
2021-03-29T16:28:42Z
Modified
2023-11-01T04:52:35.434596Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Improper Certificate Validation in twitter-stream
Details

In voloko twitter-stream 0.1.16, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2021-02-19T23:15:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed_at": "2021-03-19T19:21:49Z"
}
References

Affected packages

RubyGems / twitter-stream

Package

Name
twitter-stream
Purl
pkg:gem/twitter-stream

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.1.16

Affected versions

0.*

0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16