CVE-2020-15134

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15134

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15134.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15134

Aliases

GHSA-3q49-h8f9-9fr9

Related

UBUNTU-CVE-2020-15134

Published

2020-07-31T18:15:14Z

Modified

2024-09-18T03:07:39.773191Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any https: or wss: connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both libraries to support TLS verification before Faye could claim to do the same. Your client would still be insecure if its initial HTTPS request was verified, but later WebSocket connections were not. This is fixed in Faye v1.4.0, which enables verification by default. For further background information on this issue, please see the referenced GitHub Advisory.

References

Affected packages

Debian:11 / ruby-faye

Package

Name: ruby-faye
Purl: pkg:deb/debian/ruby-faye?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby-faye

Package

Name: ruby-faye
Purl: pkg:deb/debian/ruby-faye?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-faye

Package

Name: ruby-faye
Purl: pkg:deb/debian/ruby-faye?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/faye/faye

Affected ranges

Type: GIT
Repo: https://github.com/faye/faye
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

60141e8d3942a88ba3de6a9b3aef9503bc1bb1e6

Affected versions

0.*

0.1.0

0.1.1

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.7.0

0.7.1

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0