Vulnerability-Lookup

CVE-2020-15133 (GCVE-0-2020-15133)

Vulnerability from cvelistv5 – Published: 2020-07-31 17:40 – Updated: 2024-08-04 13:08

Title

Missing TLS certificate verification in Faye Websocket

Summary

In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-295 - Improper Certificate Validation

Assigner

GitHub_M

References

URL

Tags

	https://blog.jcoglan.com/2020/07/31/missing-tls-v…	x_refsource_MISC
	https://github.com/faye/faye-websocket-ruby/secur…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	faye	faye-websocket	Affected: < 0.11.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.247Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "faye-websocket",
          "vendor": "faye",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.11.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-31T17:40:21",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
        }
      ],
      "source": {
        "advisory": "GHSA-2v5c-755p-p4gv",
        "discovery": "UNKNOWN"
      },
      "title": "Missing TLS certificate verification in Faye Websocket",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15133",
          "STATE": "PUBLIC",
          "TITLE": "Missing TLS certificate verification in Faye Websocket"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "faye-websocket",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.11.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "faye"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295: Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/",
              "refsource": "MISC",
              "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
            },
            {
              "name": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv",
              "refsource": "CONFIRM",
              "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2v5c-755p-p4gv",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15133",
    "datePublished": "2020-07-31T17:40:21",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:08:22.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:faye-websocket_project:faye-websocket:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.11.0\", \"matchCriteriaId\": \"6A21B57E-CBCB-44A7-B047-AFD01BAD894F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.\"}, {\"lang\": \"es\", \"value\": \"En faye-websocket versiones anteriores a 0.11.0, se presenta una falta de comprobaci\\u00f3n de certificaci\\u00f3n en los protocolos de enlaces TLS. La clase \\\"Faye::WebSocket::Client\\\" usa el m\\u00e9todo \\\"EM::Connection #start_tls\\\" en EventMachine para implementar el protocolo de enlace TLS cada vez que una URL \\\"wss:\\\" es usada para la conexi\\u00f3n. Este m\\u00e9todo no implementa la verificaci\\u00f3n de certificados por defecto, lo que significa que no comprueba que el servidor presente un certificado TLS v\\u00e1lido y confiable para el nombre de host esperado. Eso significa que cualquier conexi\\u00f3n \\\"wss:\\\" realizada con esta biblioteca es vulnerable a un ataque de tipo man-in-the-middle, ya que no confirma la identidad del servidor al que est\\u00e1 conectado. Para obtener m\\u00e1s informaci\\u00f3n de fondo sobre este tema, consulte el Aviso de GitHub referenciado. Es recomendado actualizar \\\"faye-websocket\\\" a la versi\\u00f3n  v0.11.0\"}]",
      "id": "CVE-2020-15133",
      "lastModified": "2024-11-21T05:04:54.867",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 8.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.8}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-07-31T18:15:14.473",
      "references": "[{\"url\": \"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-295\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15133\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-07-31T18:15:14.473\",\"lastModified\":\"2024-11-21T05:04:54.867\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.\"},{\"lang\":\"es\",\"value\":\"En faye-websocket versiones anteriores a 0.11.0, se presenta una falta de comprobaci\u00f3n de certificaci\u00f3n en los protocolos de enlaces TLS. La clase \\\"Faye::WebSocket::Client\\\" usa el m\u00e9todo \\\"EM::Connection #start_tls\\\" en EventMachine para implementar el protocolo de enlace TLS cada vez que una URL \\\"wss:\\\" es usada para la conexi\u00f3n. Este m\u00e9todo no implementa la verificaci\u00f3n de certificados por defecto, lo que significa que no comprueba que el servidor presente un certificado TLS v\u00e1lido y confiable para el nombre de host esperado. Eso significa que cualquier conexi\u00f3n \\\"wss:\\\" realizada con esta biblioteca es vulnerable a un ataque de tipo man-in-the-middle, ya que no confirma la identidad del servidor al que est\u00e1 conectado. Para obtener m\u00e1s informaci\u00f3n de fondo sobre este tema, consulte el Aviso de GitHub referenciado. Es recomendado actualizar \\\"faye-websocket\\\" a la versi\u00f3n  v0.11.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.8}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:faye-websocket_project:faye-websocket:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.11.0\",\"matchCriteriaId\":\"6A21B57E-CBCB-44A7-B047-AFD01BAD894F\"}]}]}],\"references\":[{\"url\":\"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

CNVD-2020-44629

Vulnerability from cnvd - Published: 2020-08-06

Title

faye-websocket信任管理问题漏洞

Description

faye-websocket是一款WebSocket实现，它主要提供WebSocket服务器和客户端等。 faye-websocket 0.11.0之前版本中存在信任管理问题漏洞，该漏洞源于在TLS握手过程中，程序没有进行证书检查。攻击者可利用该漏洞实施中间人攻击。

Severity

高

Patch Name

faye-websocket信任管理问题漏洞的补丁

Patch Description

faye-websocket是一款WebSocket实现，它主要提供WebSocket服务器和客户端等。 faye-websocket 0.11.0之前版本中存在信任管理问题漏洞，该漏洞源于在TLS握手过程中，程序没有进行证书检查。攻击者可利用该漏洞实施中间人攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv

Reference

https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv

Impacted products

Name
faye-websocket faye-websocket <0.11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15133",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15133"
    }
  },
  "description": "faye-websocket\u662f\u4e00\u6b3eWebSocket\u5b9e\u73b0\uff0c\u5b83\u4e3b\u8981\u63d0\u4f9bWebSocket\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u7b49\u3002\n\nfaye-websocket 0.11.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728TLS\u63e1\u624b\u8fc7\u7a0b\u4e2d\uff0c\u7a0b\u5e8f\u6ca1\u6709\u8fdb\u884c\u8bc1\u4e66\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-44629",
  "openTime": "2020-08-06",
  "patchDescription": "faye-websocket\u662f\u4e00\u6b3eWebSocket\u5b9e\u73b0\uff0c\u5b83\u4e3b\u8981\u63d0\u4f9bWebSocket\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u7b49\u3002\r\n\r\nfaye-websocket 0.11.0\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728TLS\u63e1\u624b\u8fc7\u7a0b\u4e2d\uff0c\u7a0b\u5e8f\u6ca1\u6709\u8fdb\u884c\u8bc1\u4e66\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "faye-websocket\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "faye-websocket faye-websocket \u003c0.11.0"
  },
  "referenceLink": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv",
  "serverity": "\u9ad8",
  "submitTime": "2020-08-03",
  "title": "faye-websocket\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2020-15133

Vulnerability from fkie_nvd - Published: 2020-07-31 18:15 - Updated: 2024-11-21 05:04

Severity ?

8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	faye-websocket_project	faye-websocket	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:faye-websocket_project:faye-websocket:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A21B57E-CBCB-44A7-B047-AFD01BAD894F",
              "versionEndExcluding": "0.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended."
    },
    {
      "lang": "es",
      "value": "En faye-websocket versiones anteriores a 0.11.0, se presenta una falta de comprobaci\u00f3n de certificaci\u00f3n en los protocolos de enlaces TLS. La clase \"Faye::WebSocket::Client\" usa el m\u00e9todo \"EM::Connection #start_tls\" en EventMachine para implementar el protocolo de enlace TLS cada vez que una URL \"wss:\" es usada para la conexi\u00f3n. Este m\u00e9todo no implementa la verificaci\u00f3n de certificados por defecto, lo que significa que no comprueba que el servidor presente un certificado TLS v\u00e1lido y confiable para el nombre de host esperado. Eso significa que cualquier conexi\u00f3n \"wss:\" realizada con esta biblioteca es vulnerable a un ataque de tipo man-in-the-middle, ya que no confirma la identidad del servidor al que est\u00e1 conectado. Para obtener m\u00e1s informaci\u00f3n de fondo sobre este tema, consulte el Aviso de GitHub referenciado. Es recomendado actualizar \"faye-websocket\" a la versi\u00f3n  v0.11.0"
    }
  ],
  "id": "CVE-2020-15133",
  "lastModified": "2024-11-21T05:04:54.867",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.8,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-31T18:15:14.473",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-2V5C-755P-P4GV

Vulnerability from github – Published: 2020-07-31 17:40 – Updated: 2023-05-16 16:01

Summary

Missing TLS certificate verification in faye-websocket

Details

The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.

This has been a requested feature in EventMachine for many years now; see for example #275, #378, and #814. In June 2020, em-http-request published an advisory related to this problem and fixed it by implementing TLS verification in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called ssl_verify_peer. Based on this implementation, we have incorporated similar functionality into faye-websocket for Ruby, such that we use the OpenSSL module to perform two checks:

The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime
The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy's hostname

After implementing verification in v1.1.6, em-http-request has elected to leave the :verify_peer option switched off by default. We have decided to enable this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that all clients have TLS verification turned on by default. A client that is not carrying out verification is either:

talking to the expected server, and will not break under this change
being attacked, and would benefit from being alerted to this fact
deliberately talking to a server that would be rejected by verification

The latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be "working by accident", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the Faye::WebSocket::Client constructor: tls.root_cert_file, and tls.verify_peer.

The :root_cert_file option lets you provide a different set of root certificates in situations where you don't want to use your system's default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  root_cert_file: 'path/to/certificate.pem'
})

The :verify_peer option lets you turn verification off entirely. This should be a last resort and we recommend using the :root_cert_file option if possible.

client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: {
  verify_peer: false
})

To get the new behaviour, please upgrade to v0.11.0 of the Rubygems package. There are, unfortunately, no workarounds for this issue, as you cannot enable :verify_peer in EventMachine unless the calling library contains an implementation of ssl_verify_peer that actually checks the server's certificates.

For further background information on this issue, please see faye#524 and faye-websocket#129. We would like to thank Tero Marttila and Daniel Morsing for providing invaluable assistance and feedback on this issue.

Severity ?

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "faye-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-31T17:39:00Z",
    "nvd_published_at": "2020-07-31T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.\n\nThis has been a requested feature in EventMachine for many years now; see for example [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6] published an [advisory][7] related to this problem and fixed it by [implementing TLS verification][8] in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called [`ssl_verify_peer`][9]. Based on this implementation, we have incorporated similar functionality into [faye-websocket for Ruby][10], such that we use the `OpenSSL` module to perform two checks:\n\n- The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime\n- The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy\u0027s hostname\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave the `:verify_peer` option switched off by default. We have decided to _enable_ this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that\nall clients have TLS verification turned on by default. A client that is not carrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be \"working by accident\", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and `tls.verify_peer`.\n\nThe `:root_cert_file` option lets you provide a different set of root certificates in situations where you don\u0027t want to use your system\u0027s default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  root_cert_file: \u0027path/to/certificate.pem\u0027\n})\n```\n\nThe `:verify_peer` option lets you turn verification off entirely. This should be a last resort and we recommend using the `:root_cert_file` option if possible.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  verify_peer: false\n})\n```\n\nTo get the new behaviour, please upgrade to v0.11.0 of the [Rubygems package][10]. There are, unfortunately, no workarounds for this issue, as you cannot enable `:verify_peer` in EventMachine unless the calling library contains an implementation of `ssl_verify_peer` that actually checks the server\u0027s certificates.\n\nFor further background information on this issue, please see [faye#524][12] and [faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel Morsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing",
  "id": "GHSA-2v5c-755p-p4gv",
  "modified": "2023-05-16T16:01:20Z",
  "published": "2020-07-31T17:40:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/issues/275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/issues/814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye/issues/524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventmachine/eventmachine/pull/378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/faye-websocket-ruby/pull/129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igrigorik/em-http-request/pull/340"
    },
    {
      "type": "WEB",
      "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faye/faye-websocket-ruby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye-websocket/CVE-2020-15133.yml"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request"
    },
    {
      "type": "WEB",
      "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer"
    },
    {
      "type": "WEB",
      "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing TLS certificate verification in faye-websocket"
}

GSD-2020-15133

Vulnerability from gsd - Updated: 2020-07-31 00:00

Details

The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1] method in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. This has been a requested feature in EventMachine for many years now; see for example [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6] published an [advisory][7] related to this problem and fixed it by [implementing TLS verification][8] in their own codebase; although EventMachine does not implement certificate verification itself, it provides an extension point for the caller to implement it, called [`ssl_verify_peer`][9]. Based on this implementation, we have incorporated similar functionality into [faye-websocket for Ruby][10], such that we use the `OpenSSL` module to perform two checks: - The chain of certificates presented by the server is valid and ultimately trusted by your root certificate set -- either your system default root certificates, or a set provided at runtime - The final certificate presented by the server is valid for the hostname used in the request URI; if the connection is made via a proxy we use the hostname from the request, not the proxy's hostname After implementing verification in v1.1.6, em-http-request has elected to leave the `:verify_peer` option switched off by default. We have decided to _enable_ this option by default in faye-websocket, but are publishing a minor release with added functionality for configuring it. We are mindful of the fact that this may break existing programs, but we consider it much more important that all clients have TLS verification turned on by default. A client that is not carrying out verification is either: - talking to the expected server, and will not break under this change - being attacked, and would benefit from being alerted to this fact - deliberately talking to a server that would be rejected by verification The latter case includes situations like talking to a non-public server using a self-signed certificate. We consider this use case to be "working by accident", rather than functionality that was actively supported, and it should be properly and explicitly supported instead. To that end, we have added two new options to the `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and `tls.verify_peer`. The `:root_cert_file` option lets you provide a different set of root certificates in situations where you don't want to use your system's default root certificates to verify the remote host. It should be a path or an array of paths identifying the certificates to use instead of the defaults. ```rb client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: { root_cert_file: 'path/to/certificate.pem' }) ``` The `:verify_peer` option lets you turn verification off entirely. This should be a last resort and we recommend using the `:root_cert_file` option if possible. ```rb client = Faye::WebSocket::Client.new('wss://example.com/', [], tls: { verify_peer: false }) ``` To get the new behaviour, please upgrade to v0.11.0 of the [Rubygems package][10]. There are, unfortunately, no workarounds for this issue, as you cannot enable `:verify_peer` in EventMachine unless the calling library contains an implementation of `ssl_verify_peer` that actually checks the server's certificates. For further background information on this issue, please see [faye#524][12] and [faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel Morsing][15] for providing invaluable assistance and feedback on this issue. [1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls [2]: https://rubygems.org/gems/eventmachine [3]: https://github.com/eventmachine/eventmachine/issues/275 [4]: https://github.com/eventmachine/eventmachine/pull/378 [5]: https://github.com/eventmachine/eventmachine/issues/814 [6]: https://rubygems.org/gems/em-http-request [7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request [8]: https://github.com/igrigorik/em-http-request/pull/340 [9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer [10]: https://rubygems.org/gems/faye-websocket [12]: https://github.com/faye/faye/issues/524 [13]: https://github.com/faye/faye-websocket-ruby/pull/129 [14]: https://github.com/SpComb [15]: https://github.com/DanielMorsing

Aliases

CVE-2020-15133

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15133",
    "description": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.",
    "id": "GSD-2020-15133"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "faye-websocket",
            "purl": "pkg:gem/faye-websocket"
          }
        }
      ],
      "aliases": [
        "CVE-2020-15133",
        "GHSA-2v5c-755p-p4gv"
      ],
      "details": "The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1]\nmethod in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL\nis used for the connection. This method does not implement certificate\nverification by default, meaning that it does not check that the server presents\na valid and trusted TLS certificate for the expected hostname. That means that\nany `wss:` connection made using this library is vulnerable to a\nman-in-the-middle attack, since it does not confirm the identity of the server\nit is connected to.\n\nThis has been a requested feature in EventMachine for many years now; see for\nexample [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6]\npublished an [advisory][7] related to this problem and fixed it by [implementing\nTLS verification][8] in their own codebase; although EventMachine does not\nimplement certificate verification itself, it provides an extension point for\nthe caller to implement it, called [`ssl_verify_peer`][9]. Based on this\nimplementation, we have incorporated similar functionality into [faye-websocket\nfor Ruby][10], such that we use the `OpenSSL` module to perform two checks:\n\n- The chain of certificates presented by the server is valid and ultimately\n  trusted by your root certificate set -- either your system default root\n  certificates, or a set provided at runtime\n- The final certificate presented by the server is valid for the hostname used\n  in the request URI; if the connection is made via a proxy we use the hostname\n  from the request, not the proxy\u0027s hostname\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave\nthe `:verify_peer` option switched off by default. We have decided to _enable_\nthis option by default in faye-websocket, but are publishing a minor release\nwith added functionality for configuring it. We are mindful of the fact that\nthis may break existing programs, but we consider it much more important that\nall clients have TLS verification turned on by default. A client that is not\ncarrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a\nself-signed certificate. We consider this use case to be \"working by accident\",\nrather than functionality that was actively supported, and it should be properly\nand explicitly supported instead. To that end, we have added two new options to\nthe `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and\n`tls.verify_peer`.\n\nThe `:root_cert_file` option lets you provide a different set of root\ncertificates in situations where you don\u0027t want to use your system\u0027s default\nroot certificates to verify the remote host. It should be a path or an array of\npaths identifying the certificates to use instead of the defaults.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  root_cert_file: \u0027path/to/certificate.pem\u0027\n})\n```\n\nThe `:verify_peer` option lets you turn verification off entirely. This should\nbe a last resort and we recommend using the `:root_cert_file` option if\npossible.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  verify_peer: false\n})\n```\n\nTo get the new behaviour, please upgrade to v0.11.0 of the [Rubygems\npackage][10]. There are, unfortunately, no workarounds for this issue, as you\ncannot enable `:verify_peer` in EventMachine unless the calling library contains\nan implementation of `ssl_verify_peer` that actually checks the server\u0027s\ncertificates.\n\nFor further background information on this issue, please see [faye#524][12] and\n[faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel\nMorsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing",
      "id": "GSD-2020-15133",
      "modified": "2020-07-31T00:00:00.000Z",
      "published": "2020-07-31T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 8.0,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Missing TLS certificate verification in faye-websocket"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15133",
        "STATE": "PUBLIC",
        "TITLE": "Missing TLS certificate verification in Faye Websocket"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "faye-websocket",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.11.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "faye"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-295: Improper Certificate Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/",
            "refsource": "MISC",
            "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
          },
          {
            "name": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv",
            "refsource": "CONFIRM",
            "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2v5c-755p-p4gv",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2020-15133",
      "cvss_v3": 8.0,
      "date": "2020-07-31",
      "description": "The `Faye::WebSocket::Client` class uses the [`EM::Connection#start_tls`][1]\nmethod in [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL\nis used for the connection. This method does not implement certificate\nverification by default, meaning that it does not check that the server presents\na valid and trusted TLS certificate for the expected hostname. That means that\nany `wss:` connection made using this library is vulnerable to a\nman-in-the-middle attack, since it does not confirm the identity of the server\nit is connected to.\n\nThis has been a requested feature in EventMachine for many years now; see for\nexample [#275][3], [#378][4], and [#814][5]. In June 2020, [em-http-request][6]\npublished an [advisory][7] related to this problem and fixed it by [implementing\nTLS verification][8] in their own codebase; although EventMachine does not\nimplement certificate verification itself, it provides an extension point for\nthe caller to implement it, called [`ssl_verify_peer`][9]. Based on this\nimplementation, we have incorporated similar functionality into [faye-websocket\nfor Ruby][10], such that we use the `OpenSSL` module to perform two checks:\n\n- The chain of certificates presented by the server is valid and ultimately\n  trusted by your root certificate set -- either your system default root\n  certificates, or a set provided at runtime\n- The final certificate presented by the server is valid for the hostname used\n  in the request URI; if the connection is made via a proxy we use the hostname\n  from the request, not the proxy\u0027s hostname\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave\nthe `:verify_peer` option switched off by default. We have decided to _enable_\nthis option by default in faye-websocket, but are publishing a minor release\nwith added functionality for configuring it. We are mindful of the fact that\nthis may break existing programs, but we consider it much more important that\nall clients have TLS verification turned on by default. A client that is not\ncarrying out verification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a\nself-signed certificate. We consider this use case to be \"working by accident\",\nrather than functionality that was actively supported, and it should be properly\nand explicitly supported instead. To that end, we have added two new options to\nthe `Faye::WebSocket::Client` constructor: `tls.root_cert_file`, and\n`tls.verify_peer`.\n\nThe `:root_cert_file` option lets you provide a different set of root\ncertificates in situations where you don\u0027t want to use your system\u0027s default\nroot certificates to verify the remote host. It should be a path or an array of\npaths identifying the certificates to use instead of the defaults.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  root_cert_file: \u0027path/to/certificate.pem\u0027\n})\n```\n\nThe `:verify_peer` option lets you turn verification off entirely. This should\nbe a last resort and we recommend using the `:root_cert_file` option if\npossible.\n\n```rb\nclient = Faye::WebSocket::Client.new(\u0027wss://example.com/\u0027, [], tls: {\n  verify_peer: false\n})\n```\n\nTo get the new behaviour, please upgrade to v0.11.0 of the [Rubygems\npackage][10]. There are, unfortunately, no workarounds for this issue, as you\ncannot enable `:verify_peer` in EventMachine unless the calling library contains\nan implementation of `ssl_verify_peer` that actually checks the server\u0027s\ncertificates.\n\nFor further background information on this issue, please see [faye#524][12] and\n[faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel\nMorsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing",
      "gem": "faye-websocket",
      "ghsa": "2v5c-755p-p4gv",
      "patched_versions": [
        "\u003e= 0.11.0"
      ],
      "title": "Missing TLS certificate verification in faye-websocket",
      "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.11.0",
          "affected_versions": "All versions before 0.11.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-295",
            "CWE-937"
          ],
          "date": "2020-08-11",
          "description": "In faye-websocket, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.",
          "fixed_versions": [
            "0.11.0"
          ],
          "identifier": "CVE-2020-15133",
          "identifiers": [
            "CVE-2020-15133",
            "GHSA-2v5c-755p-p4gv"
          ],
          "not_impacted": "All versions starting from 0.11.0",
          "package_slug": "gem/faye-websocket",
          "pubdate": "2020-07-31",
          "solution": "Upgrade to version 0.11.0 or above.",
          "title": "Improper Certificate Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15133",
            "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/",
            "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
          ],
          "uuid": "d84a708f-7a94-4215-b5f2-733e0f4126e5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:faye-websocket_project:faye-websocket:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.11.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15133"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/"
            },
            {
              "name": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.8
        }
      },
      "lastModifiedDate": "2021-11-18T18:28Z",
      "publishedDate": "2020-07-31T18:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15133 (GCVE-0-2020-15133)

CNVD-2020-44629

FKIE_CVE-2020-15133

GHSA-2V5C-755P-P4GV

GSD-2020-15133

Tags

Sightings

Nomenclature