Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing TLS certificate verification in Faye Websocket
Vulnerability Description
In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
faye-websocket 信任管理问题漏洞
Vulnerability Description
faye-websocket是一款WebSocket实现,它主要提供WebSocket服务器和客户端等。 faye-websocket 0.11.0之前版本中存在信任管理问题漏洞,该漏洞源于在TLS握手过程中,程序没有进行证书检查。攻击者可利用该漏洞实施中间人攻击。
CVSS Information
N/A
Vulnerability Type
N/A