CVE-2016-11086: Improper Certificate Validation

September 24, 2020 (updated October 5, 2020)

lib/oauth/consumer.rb in the oauth-ruby gem for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information.

References

github.com/oauth-xx/oauth-ruby/issues/137
nvd.nist.gov/vuln/detail/CVE-2016-11086

Code Behaviors & Features

Detect and mitigate CVE-2016-11086 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →