Missing TLS certificate verification in Faye Websocket
Description
In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading faye-websocket to v0.11.0 is recommended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
faye-websocketRubyGems | < 0.11.0 | 0.11.0 |
Affected products
2- faye/faye-websocketv5Range: < 0.11.0
Patches
Vulnerability mechanics
References
15- github.com/advisories/GHSA-2v5c-755p-p4gvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15133ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-requestghsaADVISORY
- blog.jcoglan.com/2020/07/31/missing-tls-verification-in-fayeghsaWEB
- blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/mitrex_refsource_MISC
- github.com/eventmachine/eventmachine/issues/275ghsaWEB
- github.com/eventmachine/eventmachine/issues/814ghsaWEB
- github.com/eventmachine/eventmachine/pull/378ghsaWEB
- github.com/faye/faye-websocket-ruby/pull/129ghsaWEB
- github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gvghsax_refsource_CONFIRMWEB
- github.com/faye/faye/issues/524ghsaWEB
- github.com/igrigorik/em-http-request/pull/340ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/faye-websocket/CVE-2020-15133.ymlghsaWEB
- www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peerghsaWEB
- www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tlsghsaWEB
News mentions
0No linked articles in our index yet.