Man-in-the-Middle (MitM)

Affecting em-http-request gem, versions <1.1.6

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

em-http-request is an EventMachine based, async HTTP Request client.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). The library eventmachine is being used in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

Remediation

Upgrade em-http-request to version 1.1.6 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Credit
Unknown
CVE
CVE-2020-13482
CWE
CWE-300
Snyk ID
SNYK-RUBY-EMHTTPREQUEST-570369
Disclosed
26 May, 2020
Published
26 May, 2020