CVE-2020-11020
published 2020-04-29CVE-2020-11020: Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.7th percentile
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-faye | < ruby-faye 1.4.0-1 (bookworm) | ruby-faye 1.4.0-1 (bookworm) |
| faye | faye | — | — |
| faye | faye | — | — |
| faye | faye | — | — |
| faye | faye | >= 0.5.0 < 1.0.4 | 1.0.4 |
| faye | faye | >= 1.1.0 < 1.1.3 | 1.1.3 |
| faye | faye | >= 1.2.0 < 1.2.5 | 1.2.5 |
| faye_project | faye | < 1.0.4 | 1.0.4 |
| faye_project | faye | >= 1.1.0 < 1.1.3 | 1.1.3 |
| faye_project | faye | >= 1.2.0 < 1.2.5 | 1.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by appending extra segments to the message channel in Faye's extension system; monitor for channel values with unexpected trailing path segments (e.g., '/meta/connect/extra') in Faye message traffic ↗
- ·Debian bookworm and bullseye have resolved this via package version 1.4.0-1; confirm package version on Debian-based deployments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2020-11020: Faye (NPM, RubyGem) versions greater than 0
osv·2020-04-29·CVSS 9.8
CVE-2020-11020 [CRITICAL] CVE-2020-11020: Faye (NPM, RubyGem) versions greater than 0
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
OSV
Authentication and extension bypass in Faye
osv·2020-04-29
CVE-2020-11020 [HIGH] Authentication and extension bypass in Faye
Authentication and extension bypass in Faye
On 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]'s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.
The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example:
```js
server.addExtension({
incoming: function(message, callback) {
if
GHSA
Authentication and extension bypass in Faye
ghsa·2020-04-29
CVE-2020-11020 [HIGH] CWE-287 Authentication and extension bypass in Faye
Authentication and extension bypass in Faye
On 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]'s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.
The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example:
```js
server.addExtension({
incoming: function(message, callback) {
if
Debian
CVE-2020-11020: ruby-faye - Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2....
vendor_debian·2020·CVSS 8.5
CVE-2020-11020 [HIGH] CVE-2020-11020: ruby-faye - Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2....
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
Scope: local
bookworm: resolved (fixed in 1.4.0-1)
bullseye: resolved (fixed in 1.4.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-04-29
Published