CVE-2020-11020 Information
Feb 14, 2021
cve
Description
Faye (NPM RubyGem) versions greater than 0.5.0 and before 1.0.4 1.1.3 and 1.2.5 has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions by appending extra segments to the message channel. It is patched in versions 1.0.4 1.1.3 and 1.2.5.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: