Improper Access Control Affecting faye package, versions <1.0.4 >=1.1.0, <1.1.3 >=1.2.0, <1.2.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-FAYE-567760
- published 28 Apr 2020
- disclosed 28 Apr 2020
- credit Unknown
Introduced: 28 Apr 2020
CVE-2020-11020 Open this link in a new tabHow to fix?
Upgrade faye to version 1.0.4, 1.1.3, 1.2.5 or higher.
Overview
faye is a simple pub/sub messaging for the web.
Affected versions of this package are vulnerable to Improper Access Control. The Server parses channels in a way that means any channel namespaced under /meta/subscribe will also work as a subscription request. For example if the client sends a message to the channel /meta/subscribe/x, that will bypass most authentication extensions but will still be interpreted by the server as a subscription request, and the client will be subscribed to the requested channel. The client has thus bypassed the user's access control policy.