CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
58.5%
In faye-websocket before version 0.11.0, there is a lack of certification
validation in TLS handshakes. The Faye::WebSocket::Client
class uses the
EM::Connection#start_tls
method in EventMachine to implement the TLS
handshake whenever a wss:
URL is used for the connection. This method
does not implement certificate verification by default, meaning that it
does not check that the server presents a valid and trusted TLS certificate
for the expected hostname. That means that any wss:
connection made using
this library is vulnerable to a man-in-the-middle attack, since it does not
confirm the identity of the server it is connected to. For further
background information on this issue, please see the referenced GitHub
Advisory. Upgrading faye-websocket
to v0.11.0 is recommended.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | ruby-faye-websocket | < any | UNKNOWN |
ubuntu | 22.04 | noarch | ruby-faye-websocket | < any | UNKNOWN |
ubuntu | 24.04 | noarch | ruby-faye-websocket | < any | UNKNOWN |
blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
github.com/faye/faye-websocket-ruby/pull/129
github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
launchpad.net/bugs/cve/CVE-2020-15133
nvd.nist.gov/vuln/detail/CVE-2020-15133
security-tracker.debian.org/tracker/CVE-2020-15133
www.cve.org/CVERecord?id=CVE-2020-15133
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
58.5%