Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/51626?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51626?format=api", "vulnerability_id": "VCID-4fjd-y2w2-83d9", "summary": "Missing TLS certificate verification\nFaye uses [em-http-request][6] and [faye-websocket][10] in the Ruby version of\nits client. Those libraries both use the [`EM::Connection#start_tls`][1] method\nin [EventMachine][2] to implement the TLS handshake whenever a `wss:` URL is\nused for the connection. This method does not implement certificate verification\nby default, meaning that it does not check that the server presents a valid and\ntrusted TLS certificate for the expected hostname. That means that any `https:`\nor `wss:` connection made using these libraries is vulnerable to a\nman-in-the-middle attack, since it does not confirm the identity of the server\nit is connected to.\n\nThe first request a Faye client makes is always sent via normal HTTP, but later\nmessages may be sent via WebSocket. Therefore it is vulnerable to the same\nproblem that these underlying libraries are, and we needed both libraries to\nsupport TLS verification before Faye could claim to do the same. Your client\nwould still be insecure if its initial HTTPS request was verified, but later\nWebSocket connections were not.\n\nThis has been a requested feature in EventMachine for many years now; see for\nexample [#275][3], [#378][4], and [#814][5]. In June 2020, em-http-request\npublished an [advisory][7] related to this problem and fixed it by [implementing\nTLS verification][8] in their own codebase; although EventMachine does not\nimplement certificate verification itself, it provides an extension point for\nthe caller to implement it, called [`ssl_verify_peer`][9]. Based on this\nimplementation, we have incorporated similar functionality into faye-websocket.\n\nAfter implementing verification in v1.1.6, em-http-request has elected to leave\nthe `:verify_peer` option switched off by default. We have decided to _enable_\nthis option by default in Faye, but are publishing a minor release with added\nfunctionality for configuring it. We are mindful of the fact that this may break\nexisting programs, but we consider it much more important that all clients have\nTLS verification turned on by default. A client that is not carrying out\nverification is either:\n\n- talking to the expected server, and will not break under this change\n- being attacked, and would benefit from being alerted to this fact\n- deliberately talking to a server that would be rejected by verification\n\nThe latter case includes situations like talking to a non-public server using a\nself-signed certificate. We consider this use case to be \"working by accident\",\nrather than functionality that was actively supported, and it should be properly\nand explicitly supported instead.\n\nWe are releasing Faye v1.4.0, which enables verification by default and provides\na way to opt out of it:\n\n```rb\nclient = Faye::Client.new('https://example.com/', tls: { verify_peer: false })\n```\n\nUnfortunately we can't offer an equivalent of the `:root_cert_file` option that\nhas been added to faye-websocket, because em-http-request does not support it.\nIf you need to talk to servers whose certificates are not recognised by your\ndefault root certificates, then you need to add its certificate (or another one\nthat can verify it) to your system's root set.\n\nThe same functionality is now supported in the Node.js version, with a `tls`\noption whose values will be passed to the `https` and `tls` modules as\nappropriate when making connections. For example, you can provide your own CA\ncertificate:\n\n```js\nvar client = new faye.Client('https://example.com/', {\n tls: {\n ca: fs.readFileSync('path/to/certificate.pem')\n }\n});\n```\n\nFor further background information on this issue, please see [faye#524][12] and\n[faye-websocket#129][13]. We would like to thank [Tero Marttila][14] and [Daniel\nMorsing][15] for providing invaluable assistance and feedback on this issue.\n\n[1]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls\n[2]: https://rubygems.org/gems/eventmachine\n[3]: https://github.com/eventmachine/eventmachine/issues/275\n[4]: https://github.com/eventmachine/eventmachine/pull/378\n[5]: https://github.com/eventmachine/eventmachine/issues/814\n[6]: https://rubygems.org/gems/em-http-request\n[7]: https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request\n[8]: https://github.com/igrigorik/em-http-request/pull/340\n[9]: https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer\n[10]: https://rubygems.org/gems/faye-websocket\n[11]: https://faye.jcoglan.com/\n[12]: https://github.com/faye/faye/issues/524\n[13]: https://github.com/faye/faye-websocket-ruby/pull/129\n[14]: https://github.com/SpComb\n[15]: https://github.com/DanielMorsing", "aliases": [ { "alias": "CVE-2020-15134" }, { "alias": "GHSA-3q49-h8f9-9fr9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/127362?format=api", "purl": "pkg:deb/debian/ruby-faye@1.4.0-1?distro=bullseye", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-faye@1.4.0-1%3Fdistro=bullseye" }, { "url": "http://public2.vulnerablecode.io/api/packages/77773?format=api", "purl": "pkg:gem/faye@1.4.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.4.0" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/262296?format=api", "purl": "pkg:gem/faye@0.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/262297?format=api", "purl": "pkg:gem/faye@0.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/262298?format=api", "purl": "pkg:gem/faye@0.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/262299?format=api", "purl": "pkg:gem/faye@0.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/262300?format=api", "purl": "pkg:gem/faye@0.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/262301?format=api", "purl": "pkg:gem/faye@0.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/262302?format=api", "purl": "pkg:gem/faye@0.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.3.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/262303?format=api", "purl": "pkg:gem/faye@0.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.3.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/75727?format=api", "purl": "pkg:gem/faye@0.5.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253735?format=api", "purl": "pkg:gem/faye@0.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253736?format=api", "purl": "pkg:gem/faye@0.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/253737?format=api", "purl": "pkg:gem/faye@0.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/253738?format=api", "purl": "pkg:gem/faye@0.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/253739?format=api", "purl": "pkg:gem/faye@0.5.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.5.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/253740?format=api", "purl": "pkg:gem/faye@0.6.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253741?format=api", "purl": "pkg:gem/faye@0.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253742?format=api", "purl": "pkg:gem/faye@0.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/253743?format=api", "purl": "pkg:gem/faye@0.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/253744?format=api", "purl": "pkg:gem/faye@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/253745?format=api", "purl": "pkg:gem/faye@0.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/253746?format=api", "purl": "pkg:gem/faye@0.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/253747?format=api", "purl": "pkg:gem/faye@0.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/253748?format=api", "purl": "pkg:gem/faye@0.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.6.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/253749?format=api", "purl": "pkg:gem/faye@0.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253750?format=api", "purl": "pkg:gem/faye@0.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253751?format=api", "purl": "pkg:gem/faye@0.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/253752?format=api", "purl": "pkg:gem/faye@0.8.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253753?format=api", "purl": "pkg:gem/faye@0.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253754?format=api", "purl": "pkg:gem/faye@0.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/253755?format=api", "purl": "pkg:gem/faye@0.8.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/253756?format=api", "purl": "pkg:gem/faye@0.8.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/253757?format=api", "purl": "pkg:gem/faye@0.8.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/253758?format=api", "purl": "pkg:gem/faye@0.8.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/253759?format=api", "purl": "pkg:gem/faye@0.8.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/253760?format=api", "purl": "pkg:gem/faye@0.8.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/253761?format=api", "purl": "pkg:gem/faye@0.8.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@0.8.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/253762?format=api", "purl": "pkg:gem/faye@1.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253763?format=api", "purl": "pkg:gem/faye@1.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.0.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253764?format=api", "purl": "pkg:gem/faye@1.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.0.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/77195?format=api", "purl": "pkg:gem/faye@1.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/77193?format=api", "purl": "pkg:gem/faye@1.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.1.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253765?format=api", "purl": "pkg:gem/faye@1.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253766?format=api", "purl": "pkg:gem/faye@1.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/77196?format=api", "purl": "pkg:gem/faye@1.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/77194?format=api", "purl": "pkg:gem/faye@1.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/253767?format=api", "purl": "pkg:gem/faye@1.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/253768?format=api", "purl": "pkg:gem/faye@1.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/253769?format=api", "purl": "pkg:gem/faye@1.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/253770?format=api", "purl": "pkg:gem/faye@1.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" }, { "vulnerability": "VCID-t6zf-6pz1-4fhe" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/77197?format=api", "purl": "pkg:gem/faye@1.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.2.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/262304?format=api", "purl": "pkg:gem/faye@1.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4fjd-y2w2-83d9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/faye@1.3.0" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15134", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00122", "scoring_system": "epss", "scoring_elements": "0.30792", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15134" }, { "reference_url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.jcoglan.com/2020/07/31/missing-tls-verification-in-faye" }, { "reference_url": "https://github.com/eventmachine/eventmachine/issues/275", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/eventmachine/eventmachine/issues/275" }, { "reference_url": "https://github.com/eventmachine/eventmachine/issues/814", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/eventmachine/eventmachine/issues/814" }, { "reference_url": "https://github.com/eventmachine/eventmachine/pull/378", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/eventmachine/eventmachine/pull/378" }, { "reference_url": "https://github.com/faye/faye", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye" }, { "reference_url": "https://github.com/faye/faye/issues/524", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye/issues/524" }, { "reference_url": "https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye/security/advisories/GHSA-3q49-h8f9-9fr9" }, { "reference_url": "https://github.com/faye/faye-websocket-ruby/pull/129", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/faye/faye-websocket-ruby/pull/129" }, { "reference_url": "https://github.com/igrigorik/em-http-request/pull/340", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/igrigorik/em-http-request/pull/340" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-15134.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faye/CVE-2020-15134.yml" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request" }, { "reference_url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:ssl_verify_peer" }, { "reference_url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.rubydoc.info/github/eventmachine/eventmachine/EventMachine/Connection:start_tls" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967063", "reference_id": "967063", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967063" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15134", "reference_id": "CVE-2020-15134", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15134" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 295, "name": "Improper Certificate Validation", "description": "The product does not validate, or incorrectly validates, a certificate." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4fjd-y2w2-83d9" }