CVE-2020-15133

Name of the Vulnerable Software and Affected Versions faye-websocket versions prior to 0.11.0

Description The issue is related to a lack of certificate validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start tls method, which does not implement certificate verification by default. This means that any wss: connection made using this library is vulnerable to a man-in-the-middle attack, as it does not confirm the identity of the server it is connected to. The library has been updated to enable TLS verification by default, and two new options have been added to the Faye::WebSocket::Client constructor: tls.root cert file and tls.verify peer. These options allow users to provide a different set of root certificates and turn verification off entirely, respectively.

Recommendations To resolve the issue, upgrade faye-websocket to version 0.11.0. If you need to use a different set of root certificates, use the :root cert file option when creating a new Faye::WebSocket::Client instance. If you need to turn verification off entirely, use the :verify peer option, but this should be a last resort.