Improper Authentication in Faye
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-11020 |
| CWE-ID | CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Faye Web applications / Modules and components for CMS |
| Vendor | James Coglan |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Authentication
EUVDB-ID: #VU30293
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11020
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
MitigationInstall update from vendor's website.
Vulnerable software versionsFaye: 1.2.0 - 1.2.4
External linkshttp://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e
http://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
