3 matches found
CVE-2020-15133
In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not...
CVE-2020-15133 Missing TLS certificate verification in Faye Websocket
In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connectionstarttls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not...
CVE-2020-15133
CVE-2020-15133 affects the faye-websocket library prior to 0.11.0. The issue is a lack of certificate verification in TLS handshakes: Faye::WebSocket::Client uses EM::Connection#start_tls for wss: connections and does not validate the server’s TLS certificate by default, enabling potential man-in...