Insecure Defaults

Affecting faye package, versions <0.8.9 >=0.5.0

Do your applications use this vulnerable package? Test your applications

Overview

faye is a simple pub/sub messaging for the web. Affected versions of the package are vulnerable to Man-In-The-Middle attacks due to insecure defaults. By default, faye used an insecure cipher, allowing attackers to gain access to SSL encrypted packets. This attack is also known as the BEAST attack.

You can read more about insecure defaults on our blog

Remediation

Upgrade faye to version 0.8.9 or higher.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Credit
Thai Duong, Juliano Rizzo
CVE
CVE-2011-3389
CWE
CWE-300
Snyk ID
npm:faye:20121107
Disclosed
06 Nov, 2012
Published
28 Mar, 2017