Vulnerability-Lookup

CVE-2020-11020 (GCVE-0-2020-11020)

Vulnerability from cvelistv5 – Published: 2020-04-29 17:35 – Updated: 2024-08-04 11:21

Title

Authentication and extension bypass in Faye

Summary

Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.

Severity ?

8.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-287 - Improper Authentication

Assigner

GitHub_M

References

URL

Tags

	https://github.com/faye/faye/security/advisories/…	x_refsource_CONFIRM
	https://github.com/faye/faye/commit/65d297d341b60…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	faye	Faye	Affected: >= 0.5.0, < 1.0.4 Affected: >= 1.1.0, < 1.1.3 Affected: >= 1.2.0, < 1.2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:21:14.232Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Faye",
          "vendor": "faye",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0, \u003c 1.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.1.0, \u003c 1.1.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.2.0, \u003c 1.2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-29T17:35:12",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
        }
      ],
      "source": {
        "advisory": "GHSA-qpg4-4w7w-2mq5",
        "discovery": "UNKNOWN"
      },
      "title": "Authentication and extension bypass in Faye",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11020",
          "STATE": "PUBLIC",
          "TITLE": "Authentication and extension bypass in Faye"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Faye",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 0.5.0, \u003c 1.0.4"
                          },
                          {
                            "version_value": "\u003e= 1.1.0, \u003c 1.1.3"
                          },
                          {
                            "version_value": "\u003e= 1.2.0, \u003c 1.2.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "faye"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287: Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5",
              "refsource": "CONFIRM",
              "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
            },
            {
              "name": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e",
              "refsource": "MISC",
              "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-qpg4-4w7w-2mq5",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-11020",
    "datePublished": "2020-04-29T17:35:12",
    "dateReserved": "2020-03-30T00:00:00",
    "dateUpdated": "2024-08-04T11:21:14.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\", \"versionStartExcluding\": \"0.5.0\", \"versionEndExcluding\": \"1.0.4\", \"matchCriteriaId\": \"FDF2555F-1E11-4F39-844B-48D120586578\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\", \"versionStartExcluding\": \"0.5.0\", \"versionEndExcluding\": \"1.0.4\", \"matchCriteriaId\": \"F2DB6AE8-AB9B-4A1A-9A23-80A45A3C7FD3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"1.1.0\", \"versionEndExcluding\": \"1.1.3\", \"matchCriteriaId\": \"4C2E7A43-4236-43CC-8588-DFF7DE651276\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"1.1.0\", \"versionEndExcluding\": \"1.1.3\", \"matchCriteriaId\": \"C62CA8E2-99F2-4A49-8726-1D1F5EB3F148\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\", \"versionStartIncluding\": \"1.2.0\", \"versionEndExcluding\": \"1.2.5\", \"matchCriteriaId\": \"A7AECEFE-3AC9-4855-BD8F-9019A6B64541\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"1.2.0\", \"versionEndExcluding\": \"1.2.5\", \"matchCriteriaId\": \"4005E717-555C-4AEB-9D1B-5400C26F2764\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.\"}, {\"lang\": \"es\", \"value\": \"Faye (NPM, RubyGem) versiones superiores a 0.5.0 y anteriores a 1.0.4, 1.1.3 y 1.2.5, presentan el potencial de omitir la autenticaci\\u00f3n en el sistema de extensiones. La vulnerabilidad permite que cualquier cliente omita las comprobaciones establecidas por las extensiones del lado del servidor, al agregar segmentos adicionales al canal de mensajes. Est\\u00e1 parcheado en las versiones 1.0.4, 1.1.3 y 1.2.5.\"}]",
      "id": "CVE-2020-11020",
      "lastModified": "2024-11-21T04:56:35.843",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 4.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-29T18:15:13.360",
      "references": "[{\"url\": \"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-11020\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-29T18:15:13.360\",\"lastModified\":\"2024-11-21T04:56:35.843\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.\"},{\"lang\":\"es\",\"value\":\"Faye (NPM, RubyGem) versiones superiores a 0.5.0 y anteriores a 1.0.4, 1.1.3 y 1.2.5, presentan el potencial de omitir la autenticaci\u00f3n en el sistema de extensiones. La vulnerabilidad permite que cualquier cliente omita las comprobaciones establecidas por las extensiones del lado del servidor, al agregar segmentos adicionales al canal de mensajes. Est\u00e1 parcheado en las versiones 1.0.4, 1.1.3 y 1.2.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\",\"versionStartExcluding\":\"0.5.0\",\"versionEndExcluding\":\"1.0.4\",\"matchCriteriaId\":\"FDF2555F-1E11-4F39-844B-48D120586578\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\",\"versionStartExcluding\":\"0.5.0\",\"versionEndExcluding\":\"1.0.4\",\"matchCriteriaId\":\"F2DB6AE8-AB9B-4A1A-9A23-80A45A3C7FD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndExcluding\":\"1.1.3\",\"matchCriteriaId\":\"4C2E7A43-4236-43CC-8588-DFF7DE651276\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndExcluding\":\"1.1.3\",\"matchCriteriaId\":\"C62CA8E2-99F2-4A49-8726-1D1F5EB3F148\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.5\",\"matchCriteriaId\":\"A7AECEFE-3AC9-4855-BD8F-9019A6B64541\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.5\",\"matchCriteriaId\":\"4005E717-555C-4AEB-9D1B-5400C26F2764\"}]}]}],\"references\":[{\"url\":\"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}

GHSA-QPG4-4W7W-2MQ5

Vulnerability from github – Published: 2020-04-29 17:41 – Updated: 2023-05-16 15:51

Summary

Authentication and extension bypass in Faye

Details

On 20 April 2020 it was reported to me that the potential for authentication bypass exists in Faye's extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.

The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye extension docs suggest that users implement access control for subscriptions by checking incoming messages for the /meta/subscribe channel, for example:

server.addExtension({
  incoming: function(message, callback) {
    if (message.channel === '/meta/subscribe') {
      if (message.ext.authToken !== 'my super secret password') {
        message.error = 'Invalid auth token';
      }
    }
    callback(message);
  }
});

A bug in the server's code for recognising the special /meta/* channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to /meta/subscribe/x rather than /meta/subscribe:

{
  "channel": "/meta/subscribe/x",
  "clientId": "3jrc6602npj4gyp6bn5ap2wqzjtb2q3",
  "subscription": "/foo"
}

This message will not be checked by the above extension, as it checks the message's channel is exactly equal to /meta/subscribe. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel /foo without supplying the necessary credentials.

The vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that's a prefix-match for one of the special channels /meta/handshake, /meta/connect, /meta/subscribe, /meta/unsubscribe or /meta/disconnect, as though it were an exact match for that channel. So, a message to /meta/subscribe/x is still processed as a subscription request, for example.

An authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation.

This parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version.

If you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel begins with the expected channel name, for example:

server.addExtension({
  incoming: function(message, callback) {
    if (message.channel.startsWith('/meta/subscribe')) {
      // authentication logic
    }
    callback(message);
  }
});

Severity ?

8.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "faye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "faye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "faye"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-29T17:40:59Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "On 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]\u0027s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel === \u0027/meta/subscribe\u0027) {\n      if (message.ext.authToken !== \u0027my super secret password\u0027) {\n        message.error = \u0027Invalid auth token\u0027;\n      }\n    }\n    callback(message);\n  }\n});\n```\n\nA bug in the server\u0027s code for recognising the special `/meta/*` channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n  \"channel\": \"/meta/subscribe/x\",\n  \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n  \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the message\u0027s channel is exactly equal to `/meta/subscribe`. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that\u0027s a prefix-match for one of the special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for that channel. So, a message to `/meta/subscribe/x` is still processed as a subscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel _begins_ with the expected channel name, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel.startsWith(\u0027/meta/subscribe\u0027)) {\n      // authentication logic\n    }\n    callback(message);\n  }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html",
  "id": "GHSA-qpg4-4w7w-2mq5",
  "modified": "2023-05-16T15:51:44Z",
  "published": "2020-04-29T17:41:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11020"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faye/faye"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-11020.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication and extension bypass in Faye"
}

GSD-2020-11020

Vulnerability from gsd - Updated: 2020-04-29 00:00

Details

On 20 April 2020 it was reported to me that the potential for authentication bypass exists in [Faye][1]'s extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and 1.2.5, which we are releasing today. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. For example, the Faye [extension docs][2] suggest that users implement access control for subscriptions by checking incoming messages for the `/meta/subscribe` channel, for example: ```js server.addExtension({ incoming: function(message, callback) { if (message.channel === '/meta/subscribe') { if (message.ext.authToken !== 'my super secret password') { message.error = 'Invalid auth token'; } } callback(message); } }); ``` A bug in the server's code for recognising the special `/meta/*` channels, which trigger connection and subscription events, means that a client can bypass this check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`: ```json { "channel": "/meta/subscribe/x", "clientId": "3jrc6602npj4gyp6bn5ap2wqzjtb2q3", "subscription": "/foo" } ``` This message will not be checked by the above extension, as it checks the message's channel is exactly equal to `/meta/subscribe`. But it will still be processed as a subscription request by the server, so the client becomes subscribed to the channel `/foo` without supplying the necessary credentials. The vulnerability is caused by the way the Faye server recognises meta channels. It will treat a message to any channel that's a prefix-match for one of the special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for that channel. So, a message to `/meta/subscribe/x` is still processed as a subscription request, for example. An authentication bypass for subscription requests is the most serious effect of this but all other meta channels are susceptible to similar manipulation. This parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. These should be drop-in replacements for prior versions and you should upgrade immediately if you are running any prior version. If you are unable to install one of these versions, you can make your extensions catch all messages the server would process by checking the channel _begins_ with the expected channel name, for example: ```js server.addExtension({ incoming: function(message, callback) { if (message.channel.startsWith('/meta/subscribe')) { // authentication logic } callback(message); } }); ``` [1]: https://faye.jcoglan.com/ [2]: https://faye.jcoglan.com/node/extensions.html

Aliases

CVE-2020-11020

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-11020",
    "description": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.",
    "id": "GSD-2020-11020"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "faye",
            "purl": "pkg:gem/faye"
          }
        }
      ],
      "aliases": [
        "CVE-2020-11020",
        "GHSA-qpg4-4w7w-2mq5"
      ],
      "details": "On 20 April 2020 it was reported to me that the potential for authentication\nbypass exists in [Faye][1]\u0027s extension system. This vulnerability has existed in\nthe Node.js and Ruby versions of the server since version 0.5.0, when extensions\nwere first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and\n1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side\nextensions, by appending extra segments to the message channel. For example, the\nFaye [extension docs][2] suggest that users implement access control for\nsubscriptions by checking incoming messages for the `/meta/subscribe` channel,\nfor example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel === \u0027/meta/subscribe\u0027) {\n      if (message.ext.authToken !== \u0027my super secret password\u0027) {\n        message.error = \u0027Invalid auth token\u0027;\n      }\n    }\n    callback(message);\n  }\n});\n```\n\nA bug in the server\u0027s code for recognising the special `/meta/*` channels, which\ntrigger connection and subscription events, means that a client can bypass this\ncheck by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n  \"channel\": \"/meta/subscribe/x\",\n  \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n  \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the\nmessage\u0027s channel is exactly equal to `/meta/subscribe`. But it will still be\nprocessed as a subscription request by the server, so the client becomes\nsubscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels.\nIt will treat a message to any channel that\u0027s a prefix-match for one of the\nspecial channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`,\n`/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for\nthat channel. So, a message to `/meta/subscribe/x` is still processed as a\nsubscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of\nthis but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5.\nThese should be drop-in replacements for prior versions and you should upgrade\nimmediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions\ncatch all messages the server would process by checking the channel _begins_\nwith the expected channel name, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel.startsWith(\u0027/meta/subscribe\u0027)) {\n      // authentication logic\n    }\n    callback(message);\n  }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html",
      "id": "GSD-2020-11020",
      "modified": "2020-04-29T00:00:00.000Z",
      "published": "2020-04-29T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 8.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Authentication and extension bypass in Faye"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11020",
        "STATE": "PUBLIC",
        "TITLE": "Authentication and extension bypass in Faye"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Faye",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 0.5.0, \u003c 1.0.4"
                        },
                        {
                          "version_value": "\u003e= 1.1.0, \u003c 1.1.3"
                        },
                        {
                          "version_value": "\u003e= 1.2.0, \u003c 1.2.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "faye"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287: Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5",
            "refsource": "CONFIRM",
            "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
          },
          {
            "name": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e",
            "refsource": "MISC",
            "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qpg4-4w7w-2mq5",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2020-11020",
      "cvss_v3": 8.5,
      "date": "2020-04-29",
      "description": "On 20 April 2020 it was reported to me that the potential for authentication\nbypass exists in [Faye][1]\u0027s extension system. This vulnerability has existed in\nthe Node.js and Ruby versions of the server since version 0.5.0, when extensions\nwere first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and\n1.2.5, which we are releasing today.\n\nThe vulnerability allows any client to bypass checks put in place by server-side\nextensions, by appending extra segments to the message channel. For example, the\nFaye [extension docs][2] suggest that users implement access control for\nsubscriptions by checking incoming messages for the `/meta/subscribe` channel,\nfor example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel === \u0027/meta/subscribe\u0027) {\n      if (message.ext.authToken !== \u0027my super secret password\u0027) {\n        message.error = \u0027Invalid auth token\u0027;\n      }\n    }\n    callback(message);\n  }\n});\n```\n\nA bug in the server\u0027s code for recognising the special `/meta/*` channels, which\ntrigger connection and subscription events, means that a client can bypass this\ncheck by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`:\n\n```json\n{\n  \"channel\": \"/meta/subscribe/x\",\n  \"clientId\": \"3jrc6602npj4gyp6bn5ap2wqzjtb2q3\",\n  \"subscription\": \"/foo\"\n}\n```\n\nThis message will not be checked by the above extension, as it checks the\nmessage\u0027s channel is exactly equal to `/meta/subscribe`. But it will still be\nprocessed as a subscription request by the server, so the client becomes\nsubscribed to the channel `/foo` without supplying the necessary credentials.\n\nThe vulnerability is caused by the way the Faye server recognises meta channels.\nIt will treat a message to any channel that\u0027s a prefix-match for one of the\nspecial channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`,\n`/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for\nthat channel. So, a message to `/meta/subscribe/x` is still processed as a\nsubscription request, for example.\n\nAn authentication bypass for subscription requests is the most serious effect of\nthis but all other meta channels are susceptible to similar manipulation.\n\nThis parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5.\nThese should be drop-in replacements for prior versions and you should upgrade\nimmediately if you are running any prior version.\n\nIf you are unable to install one of these versions, you can make your extensions\ncatch all messages the server would process by checking the channel _begins_\nwith the expected channel name, for example:\n\n```js\nserver.addExtension({\n  incoming: function(message, callback) {\n    if (message.channel.startsWith(\u0027/meta/subscribe\u0027)) {\n      // authentication logic\n    }\n    callback(message);\n  }\n});\n```\n\n[1]: https://faye.jcoglan.com/\n[2]: https://faye.jcoglan.com/node/extensions.html",
      "gem": "faye",
      "ghsa": "qpg4-4w7w-2mq5",
      "patched_versions": [
        "~\u003e 1.0.4",
        "~\u003e 1.1.3",
        "\u003e= 1.2.5"
      ],
      "title": "Authentication and extension bypass in Faye",
      "unaffected_versions": [
        "\u003c 0.5.0"
      ],
      "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e0.5.0 \u003c1.0.4||\u003e=1.1.0 \u003c1.1.3||\u003e=1.2.0 \u003c1.2.5",
          "affected_versions": "All versions after 0.5.0 before 1.0.4, all versions starting from 1.1.0 before 1.1.3, all versions starting from 1.2.0 before 1.2.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-05-06",
          "description": "Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.",
          "fixed_versions": [
            "1.0.4",
            "1.1.3",
            "1.2.5"
          ],
          "identifier": "CVE-2020-11020",
          "identifiers": [
            "CVE-2020-11020",
            "GHSA-qpg4-4w7w-2mq5"
          ],
          "not_impacted": "All versions up to 0.5.0, all versions starting from 1.0.4 before 1.1.0, all versions starting from 1.1.3 before 1.2.0, all versions starting from 1.2.5",
          "package_slug": "gem/faye",
          "pubdate": "2020-04-29",
          "solution": "Upgrade to versions 1.0.4, 1.1.3, 1.2.5 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-11020"
          ],
          "uuid": "520be041-d9a4-467d-b94a-fa186e7de844"
        },
        {
          "affected_range": "\u003e0.5.0 \u003c1.0.4||\u003e=1.1.0 \u003c1.1.3||\u003e=1.2.0 \u003c1.2.5",
          "affected_versions": "All versions after 0.5.0 before 1.0.4, all versions starting from 1.1.0 before 1.1.3, all versions starting from 1.2.0 before 1.2.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2020-05-06",
          "description": "Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.",
          "fixed_versions": [
            "1.0.4",
            "1.1.3",
            "1.2.5"
          ],
          "identifier": "CVE-2020-11020",
          "identifiers": [
            "CVE-2020-11020",
            "GHSA-qpg4-4w7w-2mq5"
          ],
          "not_impacted": "All versions up to 0.5.0, all versions starting from 1.0.4 before 1.1.0, all versions starting from 1.1.3 before 1.2.0, all versions starting from 1.2.5",
          "package_slug": "npm/faye",
          "pubdate": "2020-04-29",
          "solution": "Upgrade to versions 1.0.4, 1.1.3, 1.2.5 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-11020"
          ],
          "uuid": "251662bb-f6bf-4afe-b991-7bda2fc18210"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.4",
                "versionStartExcluding": "0.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.4",
                "versionStartExcluding": "0.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.1.3",
                "versionStartIncluding": "1.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.1.3",
                "versionStartIncluding": "1.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.2.5",
                "versionStartIncluding": "1.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.2.5",
                "versionStartIncluding": "1.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-11020"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
            },
            {
              "name": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-05-06T18:21Z",
      "publishedDate": "2020-04-29T18:15Z"
    }
  }
}

FKIE_CVE-2020-11020

Vulnerability from fkie_nvd - Published: 2020-04-29 18:15 - Updated: 2024-11-21 04:56

Severity ?

8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5	Exploit, Mitigation, Third Party Advisory

Impacted products

Vendor	Product	Version
faye_project	faye	*
faye_project	faye	*
faye_project	faye	*
faye_project	faye	*
faye_project	faye	*
faye_project	faye	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "FDF2555F-1E11-4F39-844B-48D120586578",
              "versionEndExcluding": "1.0.4",
              "versionStartExcluding": "0.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "F2DB6AE8-AB9B-4A1A-9A23-80A45A3C7FD3",
              "versionEndExcluding": "1.0.4",
              "versionStartExcluding": "0.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "4C2E7A43-4236-43CC-8588-DFF7DE651276",
              "versionEndExcluding": "1.1.3",
              "versionStartIncluding": "1.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "C62CA8E2-99F2-4A49-8726-1D1F5EB3F148",
              "versionEndExcluding": "1.1.3",
              "versionStartIncluding": "1.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "A7AECEFE-3AC9-4855-BD8F-9019A6B64541",
              "versionEndExcluding": "1.2.5",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:faye_project:faye:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "4005E717-555C-4AEB-9D1B-5400C26F2764",
              "versionEndExcluding": "1.2.5",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5."
    },
    {
      "lang": "es",
      "value": "Faye (NPM, RubyGem) versiones superiores a 0.5.0 y anteriores a 1.0.4, 1.1.3 y 1.2.5, presentan el potencial de omitir la autenticaci\u00f3n en el sistema de extensiones. La vulnerabilidad permite que cualquier cliente omita las comprobaciones establecidas por las extensiones del lado del servidor, al agregar segmentos adicionales al canal de mensajes. Est\u00e1 parcheado en las versiones 1.0.4, 1.1.3 y 1.2.5."
    }
  ],
  "id": "CVE-2020-11020",
  "lastModified": "2024-11-21T04:56:35.843",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-29T18:15:13.360",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-11020 (GCVE-0-2020-11020)

GHSA-QPG4-4W7W-2MQ5

GSD-2020-11020

FKIE_CVE-2020-11020

Tags

Sightings

Nomenclature