SCA: security update for faye (GHSA-3q49-h8f9-9fr9)

high Tenable Cloud Security Plugin ID 409641

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-
http-request and faye-websocket in the Ruby version of its client. Those libraries both use the
`EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is
used for the connection. This method does not implement certificate verification by default, meaning that
it does not check that the server presents a valid and trusted TLS certificate for the expected hostname.
That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-
the-middle attack, since it does not confirm the identity of the server it is connected to. The first
request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket.
Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both
libraries to support TLS verification before Faye could claim to do the same. Your client would still be
insecure if its initial HTTPS request was verified, but later WebSocket connections were not. This is
fixed in Faye v1.4.0, which enables verification by default. For further background information on this
issue, please see the referenced GitHub Advisory. (CVE-2020-15134)

See Also

https://github.com/advisories/GHSA-3q49-h8f9-9fr9

Plugin Details

Severity: High

ID: 409641

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 56.9

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-15134

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/31/2020

Vulnerability Publication Date: 7/31/2020

Reference Information

CVE: CVE-2020-15134

cwe: CWE-295