CVE-2020-11020
8.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Summary
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| faye | Faye | >= 0.5.0, < 1.0.4 | affected |
| faye | Faye | >= 1.1.0, < 1.1.3 | affected |
| faye | Faye | >= 1.2.0, < 1.2.5 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5
- https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e
References
- https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5
- https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.