Source: ruby-faye Version: 1.2.4-1 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerability was published for ruby-faye. CVE-2020-11020[0]: | Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, | 1.1.3 and 1.2.5, has the potential for authentication bypass in the | extension system. The vulnerability allows any client to bypass checks | put in place by server-side extensions, by appending extra segments to | the message channel. It is patched in versions 1.0.4, 1.1.3 and 1.2.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-11020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11020 [1] https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5 [2] https://github.com/faye/faye/commit/65d297d341b607f3cb0b5fa6021a625a991cc30e Regards, Salvatore
