Bug 1911457 (CVE-2020-13482)
Summary: | CVE-2020-13482 rubygem-em-http-request: missing SSL hostname validation allows MITM | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | dbecker, jar.prokop, jjoyce, jschluet, lhh, lpeer, mburns, mrunge, rhel8-maint, sclewis, slinaber |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-em-http-request 1.1.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in rubygem-em-http-request. The eventmachine library does not verify the hostname in a TLS server certificate which can allow an attacker to perform a man-in-the-middle attack. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-18 13:51:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1911458, 1913523 | ||
Bug Blocks: | 1911459 |
Description
Guilherme de Almeida Suckevicz
2020-12-29 14:44:19 UTC
Created rubygem-em-http-request tracking bugs for this issue: Affects: fedora-all [bug 1911458] Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Additional patch for warnings: https://github.com/igrigorik/em-http-request/commit/157d5ff281c503656192825c388b28e7f35e04ce This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 Operational Tools for RHEL 7 Via RHSA-2021:0937 https://access.redhat.com/errata/RHSA-2021:0937 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13482 |