CVE-2020-15133: Improper Certificate Validation

July 31, 2020 (updated August 11, 2020)

In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to.

References

blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye/
github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
nvd.nist.gov/vuln/detail/CVE-2020-15133

Detect and mitigate CVE-2020-15133 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →