CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
58.5%
Faye before version 1.4.0, there is a lack of certification validation in
TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby
version of its client. Those libraries both use the
EM::Connection#start_tls
method in EventMachine to implement the TLS
handshake whenever a wss:
URL is used for the connection. This method
does not implement certificate verification by default, meaning that it
does not check that the server presents a valid and trusted TLS certificate
for the expected hostname. That means that any https:
or wss:
connection made using these libraries is vulnerable to a man-in-the-middle
attack, since it does not confirm the identity of the server it is
connected to. The first request a Faye client makes is always sent via
normal HTTP, but later messages may be sent via WebSocket. Therefore it is
vulnerable to the same problem that these underlying libraries are, and we
needed both libraries to support TLS verification before Faye could claim
to do the same. Your client would still be insecure if its initial HTTPS
request was verified, but later WebSocket connections were not. This is
fixed in Faye v1.4.0, which enables verification by default. For further
background information on this issue, please see the referenced GitHub
Advisory.
blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
github.com/faye/faye/issues/524
github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9
launchpad.net/bugs/cve/CVE-2020-15134
nvd.nist.gov/vuln/detail/CVE-2020-15134
security-tracker.debian.org/tracker/CVE-2020-15134
www.cve.org/CVERecord?id=CVE-2020-15134
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
58.5%