CVE-2020-15134
published 2020-07-31CVE-2020-15134: Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of…
PriorityP344high8.7CVSS 3.1
AVNACHPRNUINSCCHIHAN
EPSS
0.86%
54.0th percentile
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both libraries to support TLS verification before Faye could claim to do the same. Your client would still be insecure if its initial HTTPS request was verified, but later WebSocket connections were not. This is fixed in Faye v1.4.0, which enables verification by default. For further background information on this issue, please see the referenced GitHub Advisory.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-faye | < ruby-faye 1.4.0-1 (bookworm) | ruby-faye 1.4.0-1 (bookworm) |
| faye | faye | < 1.4.0 | 1.4.0 |
| faye | faye | >= 0 < 1.4.0 | 1.4.0 |
| faye_project | faye | < 1.4.0 | 1.4.0 |
CVSS provenance
nvdv3.18.7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv8.7HIGH
vendor_debian8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2020-15134: Faye before version 1
osv·2020-07-31·CVSS 8.7
CVE-2020-15134 [HIGH] CVE-2020-15134: Faye before version 1
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages
GHSA
Missing TLS certificate verification
ghsa·2020-07-31
CVE-2020-15134 [HIGH] CWE-295 Missing TLS certificate verification
Missing TLS certificate verification
Faye uses [em-http-request][6] and [faye-websocket][10] in the Ruby version of its client. Those libraries both use the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.
The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Th
OSV
Missing TLS certificate verification
osv·2020-07-31
CVE-2020-15134 [HIGH] Missing TLS certificate verification
Missing TLS certificate verification
Faye uses [em-http-request][6] and [faye-websocket][10] in the Ruby version of its client. Those libraries both use the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.
The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Th
Debian
CVE-2020-15134: ruby-faye - Faye before version 1.4.0, there is a lack of certification validation in TLS ha...
vendor_debian·2020·CVSS 8.0
CVE-2020-15134 [HIGH] CVE-2020-15134: ruby-faye - Faye before version 1.4.0, there is a lack of certification validation in TLS ha...
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-07-31
Published