CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

Published: Sep 24, 2020
Updated: May 9, 2024
CVE: CVE-2016-11086
GHSA: GHSA-7359-3c6r-hfc2
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
oauth-ruby_project / oauth-ruby	-	0.5.4.x
oauth	-	0.5.5

https://github.com/oauth-xx/oauth-ruby/commit/eb5b00a91d4ef0899082fdba929c34ccad6d4ccb
https://github.com/oauth-xx/oauth-ruby/issues/137
https://github.com/oauth-xx/oauth-ruby/releases/tag/v0.5.5
https://rubygems.org/gems/oauth

Vulnerability Database

290,278

CVE-2016-11086