CVE-2020-24393 — MEDIUM (5.9)

Vulnerability Description

TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Tweetstream Project	Tweetstream	2.6.1

Related Weaknesses (CWE)

CWE-295

References

https://github.com/tweetstream/tweetstreamProduct
https://securitylab.github.com/advisories/GHSL-2020-096-tweetstream-tweetstreamExploitThird Party Advisory
https://github.com/tweetstream/tweetstreamProduct
https://securitylab.github.com/advisories/GHSL-2020-096-tweetstream-tweetstreamExploitThird Party Advisory

FAQ

What is CVE-2020-24393?

CVE-2020-24393 is a vulnerability with a CVSS score of 5.9 (MEDIUM). TweetStream 2.6.1 uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

How severe is CVE-2020-24393?

CVE-2020-24393 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-24393?

Check the references section above for vendor advisories and patch information. Affected products include: Tweetstream Project Tweetstream.