Improper Access Control

Affecting faye gem, versions <1.0.4 || >=1.1.0, <1.1.3 || >=1.2.0, <1.2.5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

faye is a simple pub/sub messaging for the web.

Affected versions of this package are vulnerable to Improper Access Control. The Server parses channels in a way that means any channel namespaced under /meta/subscribe will also work as a subscription request. For example if the client sends a message to the channel /meta/subscribe/x, that will bypass most authentication extensions but will still be interpreted by the server as a subscription request, and the client will be subscribed to the requested channel. The client has thus bypassed the user's access control policy.

Remediation

Upgrade faye to version 1.0.4, 1.1.3, 1.2.5 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:U/RC:C
Credit
Unknown
CVE
CVE-2020-11020
CWE
CWE-284
Snyk ID
SNYK-RUBY-FAYE-567760
Disclosed
28 Apr, 2020
Published
28 Apr, 2020