skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
June 17, 2020

GHSL-2020-094: Missing SSL/TLS certificate hostname validation in em-http-request - CVE-2020-13482

Agustin Gianni

Summary

Missing hostname validation allows an attacker to perform a person in the middle attack against users of the em-http-request library.

Product

em-http-request

Tested Version

1.1.5

Details

GHSL-2020-094: Missing SSL/TLS certificate hostname validation

em-http-request uses the library eventmachine in an insecure way that allows an attacker to perform a person in the middle attack against users of the library.

Impact

An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.

CVE

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Resources

Credit

This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-ID: GHSL-2020-094 in any communication regarding this issue.