CVE Vulnerabilities

CVE-2016-11086

Improper Certificate Validation

Published: Sep 24, 2020 | Modified: Oct 05, 2020
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Oauth-ruby Oauth-ruby_project * 0.5.4 (including)
Ruby-oauth Ubuntu bionic *
Ruby-oauth Ubuntu groovy *
Ruby-oauth Ubuntu hirsute *
Ruby-oauth Ubuntu impish *
Ruby-oauth Ubuntu kinetic *
Ruby-oauth Ubuntu lunar *
Ruby-oauth Ubuntu mantic *
Ruby-oauth Ubuntu trusty *
Ruby-oauth Ubuntu xenial *

Potential Mitigations

References