Improper Authentication in Faye - CVE-2020-11020
Published: April 29, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30293
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-11020
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Faye
Faye
Software vendor:
James Coglan
James Coglan
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
Remediation
Install update from vendor's website.