Faye Project Faye vulnerabilities
2 known vulnerabilities affecting faye_project/faye.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1
Vulnerabilities
Page 1 of 1
CVE-2020-11020P2CRITICALCVSS 9.8fixed in 1.0.4≥ 1.1.0, < 1.1.3+1 more2020-04-29
CVE-2020-11020 [CRITICAL] CWE-287 CVE-2020-11020: Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
nvd
CVE-2020-15134P3HIGHCVSS 8.7fixed in 1.4.02020-07-31
CVE-2020-15134 [HIGH] CWE-295 CVE-2020-15134: Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not imp
nvd