socket.io-0.9.19.tgz: 8 vulnerabilities (highest severity is: 9.8)
mend-bolt-for-github opened this issue · 0 comments
Vulnerable Library - socket.io-0.9.19.tgz
Real-time apps made cross-browser & easy with a WebSocket-like API
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-0.9.19.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io/package.json
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2015-8857 | High | 9.8 | uglify-js-1.2.5.tgz | Transitive | 1.0.0 | ❌ |
CVE-2020-28502 | High | 8.1 | xmlhttprequest-1.4.2.tgz | Transitive | 1.0.0 | ❌ |
CVE-2016-10518 | High | 7.5 | ws-0.4.32.tgz | Transitive | 1.0.0 | ❌ |
CVE-2015-8858 | High | 7.5 | uglify-js-1.2.5.tgz | Transitive | 1.0.0 | ❌ |
CVE-2016-10542 | High | 7.5 | ws-0.4.32.tgz | Transitive | 1.0.0 | ❌ |
WS-2017-0421 | High | 7.5 | ws-0.4.32.tgz | Transitive | 1.0.0 | ❌ |
WS-2017-0107 | High | 7.4 | ws-0.4.32.tgz | Transitive | 1.0.0 | ❌ |
CVE-2020-28481 | Medium | 4.3 | socket.io-0.9.19.tgz | Direct | 2.4.0 | ❌ |
Details
CVE-2015-8857
Vulnerable Library - uglify-js-1.2.5.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ uglify-js-1.2.5.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution (uglify-js): 2.4.24
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28502
Vulnerable Library - xmlhttprequest-1.4.2.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest/-/xmlhttprequest-1.4.2.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/xmlhttprequest/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ xmlhttprequest-1.4.2.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest): 1.7.0
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
CVE-2016-10518
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ ws-0.4.32.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution (ws): 1.0.1
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
CVE-2015-8858
Vulnerable Library - uglify-js-1.2.5.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.5.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io-client/node_modules/uglify-js/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ uglify-js-1.2.5.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2017-01-23
Fix Resolution (uglify-js): 2.6.0
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
CVE-2016-10542
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ ws-0.4.32.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws
server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Publish Date: 2018-05-31
URL: CVE-2016-10542
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-05-31
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
WS-2017-0421
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ ws-0.4.32.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was found in ws npm package 0.2.6 through 1.1.4 and 2.0.0 through 3.3.0. ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names are sent.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-5v72-xg48-5rpm
Release Date: 2017-11-08
Fix Resolution (ws): 1.1.5
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
WS-2017-0107
Vulnerable Library - ws-0.4.32.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/ws/package.json
Dependency Hierarchy:
- socket.io-0.9.19.tgz (Root Library)
- socket.io-client-0.9.16.tgz
- ❌ ws-0.4.32.tgz (Vulnerable Library)
- socket.io-client-0.9.16.tgz
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
websockets uses Math.random function to generate masking key. This function is not random enough allowing an attacker to easily guess the key. Having the key an attacker can read the payload causing potential information disclosure.
Publish Date: 2016-09-20
URL: WS-2017-0107
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2016-09-20
Fix Resolution (ws): 1.1.2
Direct dependency fix Resolution (socket.io): 1.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28481
Vulnerable Library - socket.io-0.9.19.tgz
Real-time apps made cross-browser & easy with a WebSocket-like API
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-0.9.19.tgz
Path to dependency file: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/package.json
Path to vulnerable library: /slides/search/Search---A-Journey-of-Delivery-on-a-Budget/reveal.js/node_modules/socket.io/package.json
Dependency Hierarchy:
- ❌ socket.io-0.9.19.tgz (Vulnerable Library)
Found in HEAD commit: 69c30ec227cf4ed8e14a7dec63e3552e78da0da1
Found in base branch: master
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution: 2.4.0
Step up your Open Source Security Game with Mend here