Insecure Defaults Affecting faye Open this link in a new tab package, versions <0.8.9 >=0.5.0

Exploit Maturity

Proof of concept
Attack Complexity

Low
User Interaction

Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

npm:faye:20121107
published

28 Mar 2017
disclosed

6 Sep 2011
credit

Thai Duong, Juliano Rizzo

Report a new vulnerability Found a mistake?

Introduced: 6 Sep 2011

CVE-2011-3389 Open this link in a new tab CWE-300 Open this link in a new tab

Overview

faye is a simple pub/sub messaging for the web. Affected versions of the package are vulnerable to Man-In-The-Middle attacks due to insecure defaults. By default, faye used an insecure cipher, allowing attackers to gain access to SSL encrypted packets. This attack is also known as the BEAST attack.

You can read more about insecure defaults on our blog

Remediation

Upgrade faye to version 0.8.9 or higher.

Insecure Defaults Affecting faye Open this link in a new tab package, versions <0.8.9 >=0.5.0

Exploit Maturity

Attack Complexity

User Interaction

snyk-id

published

disclosed

credit

Introduced: 6 Sep 2011

Overview

Remediation

References