CVE-2020-11020

Name of the Vulnerable Software and Affected Versions Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4 Faye (NPM, RubyGem) versions 1.1.x before 1.1.3 Faye (NPM, RubyGem) versions 1.2.x before 1.2.5

Description The issue allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel. This is caused by a bug in the server's code for recognizing special /meta/* channels. A client can bypass authentication checks by sending a message to a channel that is a prefix-match for one of the special channels, such as /meta/subscribe/x. This message will still be processed as a subscription request by the server, allowing the client to become subscribed to a channel without supplying the necessary credentials.

Recommendations For Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, update to version 1.0.4 or later. For Faye (NPM, RubyGem) versions 1.1.x before 1.1.3, update to version 1.1.3 or later. For Faye (NPM, RubyGem) versions 1.2.x before 1.2.5, update to version 1.2.5 or later. As a temporary workaround, consider modifying extensions to check if the message channel begins with the expected channel name, rather than exact matches. For example, use message.channel.startsWith('/meta/subscribe') instead of message.channel === '/meta/subscribe'.