Simple Ruby client library for twitter streaming API. Uses EventMachine for connection handling. Adheres to twitter's reconnection guidline. JSON format only.
In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).
CVE-2020-24392 - Medium Severity Vulnerability
Vulnerable Library - twitter-stream-0.1.16.gem
Simple Ruby client library for twitter streaming API. Uses EventMachine for connection handling. Adheres to twitter's reconnection guidline. JSON format only.
Library home page: https://rubygems.org/gems/twitter-stream-0.1.16.gem
Path to vulnerable library: /vendor/cache/twitter-stream-0.1.16.gem
Dependency Hierarchy: - :x: **twitter-stream-0.1.16.gem** (Vulnerable Library)
Vulnerability Details
In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).
Publish Date: 2021-02-19
URL: CVE-2020-24392
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here