June 17, 2020

GHSL-2020-094: Missing SSL/TLS certificate hostname validation in em-http-request - CVE-2020-13482

Agustin Gianni

Summary

Missing hostname validation allows an attacker to perform a person in the middle attack against users of the em-http-request library.

Product

em-http-request

Tested Version

1.1.5

Details

GHSL-2020-094: Missing SSL/TLS certificate hostname validation

em-http-request uses the library eventmachine in an insecure way that allows an attacker to perform a person in the middle attack against users of the library.

Impact

An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.

CVE

  • CVE-2020-13482

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 18/05/2020: Report sent to Vendor
  • 23/05/2020: Vendor acknowledged report
  • 24/05/2020: Report published to public
  • 30/05/2020: Vendor fixed the issue.

Resources

Credit

This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-ID: GHSL-2020-094 in any communication regarding this issue.