← back
CVE-2020-11020

Authentication and extension bypass in Faye

CVSS 8.5 HIGHEPSS 1.5%CWE-287
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.5EPSS 1.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 Apr 2020Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected products
faye · Faye

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30ehttps://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5