New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai. A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen...

The vulnerability of WebSocket functions in WebKitGTK and WPE WebKit rendering modules allows attackers to execute arbitrary code.

The vulnerability of WebSocket functions in WebKitGTK and WPE WebKit implementations relates to the use of memory after it is freed. Exploiting this vulnerability could allow an attacker to execute arbitrary code by opening a specially created web page...

tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from...

httpd: mod_lua: Information disclosure with websockets

A flaw was found in the modlua module of httpd. The data returned by the wsread function may point past the end of the storage allocated for the buffer, resulting in information disclosure...

patrickfuller camp 安全漏洞

patrickfuller camp patrickfuller camp is a websocket-based Raspberry Pi webcam web server by the individual developer Patrick Fuller. A security vulnerability exists in patrickfuller camp commit number: bbd53a256ed70e79bd8758080936afbf6d738767, which stems from the fact that its...

OESA-2022-2093 rubygem-websocket-extensions security update

Generic extension manager for WebSocket connections. Security Fixes: websocket-extensions ruby module prior to 0.1.5 allows Denial of Service DoS via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content ...

Denial Of Service (DoS)

@fastify/websocket and fastify-websocket are vulnerable to denial of service. The vulnerability is due to the fastifyWebsocket function in index.js which crashes the application on an uncaught exception when processing a malformed packet...

CVE-2022-39386

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

Design/Logic Flaw

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

Fastify 安全漏洞

Fastify is an open source web framework for Node.js from the OpenJS Foundation. Fastify fastify-websocket suffers from a security vulnerability that originates from an attacker sending it specific packets in the wrong format, which could cause it to crash...

CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

CVE-2022-39386 fastify-websocket vulnerable to uncaught exception via crash on malformed packet

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1....

CVE-2022-39386

The CVE concerns @fastify/websocket/fastify-websocket: all versions are reported to crash when processing a specific malformed WebSocket packet, causing a Denial of Service. The issue stems from a crash on malformed input, and the module is deprecated with no built-in patches. Patched versions ar...

@0x77/ccpack (>=0.0.0 <=0.1.5), @aio-server/core (>=0.0.1 <=0.0.1001) +87 more potentially affected by CVE-2022-39386 via fastify-websocket (>=0.3.0 <=4.3.0)

fastify-websocket NPM version =0.3.0, =0.0.0, =0.0.1, =0.0.1, =0.0.15, =0.0.13, =1.0.0, =0.2.42, =1.0.0, =2.0.3, =9.1.1, =9.1.4 and more Source cves: CVE-2022-39386 Source advisory: OSV:GHSA-4PCG-WR6C-H9CQ...

GHSA-4PCG-WR6C-H9CQ fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Impact Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. Patches This has been patched in v7.1.1 fastify v4 and v5.0.1 fastify v3. Workarounds No...

fastify/websocket vulnerable to uncaught exception via crash on malformed packet

Impact Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. Patches This has been patched in v7.1.1 fastify v4 and v5.0.1 fastify v3. Workarounds No...

PT-2022-24945 · Fastify · @Fastify/Websocket

Name of the Vulnerable Software and Affected Versions: fastify-websocket versions prior to 7.1.1 fastify v4 and prior to 5.0.1 fastify v3 @fastify/websocket all versions, deprecated Description: Any application using @fastify/websocket could crash if a specific, malformed packet is sent. The issu...

Jscythe - Abuse The Node.Js Inspector Mechanism In Order To Force Any Node.Js/Electron/V8 Based Process To Execute Arbitrary Javascript Code

jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled. Tested and working against Visual Studio Code, Discord, any Node.js application and more! How 1. Locate t...

GHSA-RH58-R7JH-XHX3 .NET Core Elevation of Privilege Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 5.0,...