Miggo Logo

CVE-2020-15133: Missing TLS certificate verification in faye-websocket

8

CVSS Score
3.1

Basic Information

EPSS Score
0.35473%
Published
7/31/2020
Updated
5/16/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
faye-websocketrubygems< 0.11.00.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) Faye-websocket's client constructor did not enable verify_peer by default or provide certificate validation logic via ssl_verify_peer, and 2) EventMachine's start_tls method inherently lacks certificate validation unless explicitly configured. The combination of these factors allowed insecure TLS connections. The fix in faye-websocket 0.11.0 added ssl_verify_peer implementation and enabled verify_peer by default, confirming these were the missing safeguards.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `**y*::W**So*k*t::*li*nt` *l*ss us*s t** [`*M::*onn**tion#st*rt_tls`][*] m*t*o* in [*v*ntM***in*][*] to impl*m*nt t** TLS **n*s**k* w**n*v*r * `wss:` URL is us** *or t** *onn**tion. T*is m*t*o* *o*s not impl*m*nt **rti*i**t* v*ri*i**tion *y ****u

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) **y*-w**so*k*t's *li*nt *onstru*tor *i* not *n**l* `v*ri*y_p**r` *y ****ult or provi** **rti*i**t* v*li**tion lo*i* vi* `ssl_v*ri*y_p**r`, *n* *) *v*ntM***in*'s `st*rt_tls` m*t*o* in**r*ntly l**ks **rti