Improper Certificate Validation in twitter-stream
Published: March 29, 2021
SECURITY IDENTIFIERS
- CVE: CVE-2020-24392 (NVD)
- GHSA: GHSA-p6p8-q4pj-f74m
GEM
SEVERITY
CVSS v3.x: 5.9 (Medium)
PATCHED VERSIONS
None available.
DESCRIPTION
In voloko twitter-stream 0.1.16, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).