CVE-2020-15134: Improper Certificate Validation

July 31, 2020 (updated August 11, 2020)

In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack.

References

nvd.nist.gov/vuln/detail/CVE-2020-15134

Code Behaviors & Features

Detect and mitigate CVE-2020-15134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →