CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
oauth-ruby_projectoauth-ruby
𝑥
≤ 0.5.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-oauth
sid
unimportant
trixie
unimportant
bookworm
unimportant
bullseye
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-oauth
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://github.com/oauth-xx/oauth-ruby/issues/137
https://github.com/oauth-xx/oauth-ruby/issues/137