Improper certificate validation in em-imap
Published: May 24, 2021
SECURITY IDENTIFIERS
- CVE: CVE-2020-13163 (NVD)
- GHSA: GHSA-4f68-49qq-h392
GEM
SEVERITY
CVSS v3.x: 7.4 (High)
PATCHED VERSIONS
None available.
DESCRIPTION
em-imap 0.5 and earlier use the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.