Missing TLS certificate verification

Faye uses em-http-request6 and faye-websocket10 in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by...

Man-in-the-middle (MitM)

em-http-request is vulnerable to man-in-the-middle MitM. It uses the library eventmachine insecurely as it misses SSL/TLS certificate hostname verification, allowing a man-in-the-middle attack against the users of the library...

CVE-2020-13482

EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified...

CVE-2020-13482

CVE-2020-13482 affects EM-HTTP-Request (1.1.5) using EventMachine, where TLS server certificate hostname verification is not performed. This allows potential MITM attacks affecting confidentiality and integrity. Public advisories (e.g., Red Hat RHSA-2021-0937, Mageia MGASA-2021-0172) confirm the ...