Description
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Remediation
References
Related Vulnerabilities
MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-1817)
WordPress Plugin Contact Form 7 Arbitrary File Upload (5.3.1)
WordPress Plugin SecuPress Pro Security Bypass (1.4.12)
WordPress Plugin BuddyPress 'page' Parameter SQL Injection (1.5.4)
WordPress Plugin Download Monitor Cross-Site Scripting (3.3.6.1)