Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-15133

Good to know:

icon

Date: July 31, 2020

In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The "Faye::WebSocket::Client" class uses the "EM::Connection#start_tls" method in EventMachine to implement the TLS handshake whenever a "wss:" URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any "wss:" connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading "faye-websocket" to v0.11.0 is recommended.

Language: Ruby

Severity Score

Related Resources (17)

https://github.com/eventmachine/eventmachine/issues/275
https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye
https://github.com/faye/faye-websocket-ruby/pull/129
https://github.com/faye/faye-websocket-ruby
https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls
https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer
https://nvd.nist.gov/vuln/detail/CVE-2020-15133
https://security-tracker.debian.org/tracker/CVE-2020-15133
https://github.com/faye/faye/issues/524
https://github.com/eventmachine/eventmachine/issues/814
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye-websocket/CVE-2020-15133.yml
https://github.com/eventmachine/eventmachine/pull/378
https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request
https://github.com/igrigorik/em-http-request/pull/340
https://www.mend.io/vulnerability-database/CVE-2020-15133

Severity Score

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

icon

Upgrade Version

Upgrade to version faye-websocket - 0.11.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us