CVE-2020-16100

It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre service's DCOM websocket thread due to improper shutdown of closed websocket connections, preventing it from accepting future DCOM websocket Configuration Client connections. Affected versions are...

Denial-of-Service (DoS)

jbossweb is vulnerable to denial of service DoS. The vulnerability exists because of an incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb, leading to DoS...

Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update

An update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS

A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability...

jbossweb: Incomplete fix of CVE-2020-13935 for WebSocket in JBossWeb could lead to DoS

A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability...

SUSE-SU-2020:2611-1 Security update for tomcat

This update for tomcat fixes the following issues: - CVE-2020-1935: Fixed an HTTP request smuggling vulnerability bsc1164860. - CVE-2020-13935: Fixed a WebSocket DoS bsc1174117...

CVE-2020-14384

A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this...

CVE-2020-14384

Technical details for CVE-2020-14384 are not publicly available in the provided documents. Connected sources reference CVE-2020-13935 and related Tomcat/JBossWeb issues; monitor for updates.

CVE-2020-14384

A flaw was found in jbossweb. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability. Mitigatio...

Malicious Package in rpc-websocket

Versions of rpc-websocket = 0.7.6 contained malicious code. The package opens a backdoor to a remote server and executes arbitrary commands, effectively acting as a backdoor. Recommendation Any computer that has these versions of the package installed or running should be considered fully...

GHSA-77Q4-M83Q-W76V Missing Origin Validation in browserify-hmr

Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...

Missing Origin Validation in browserify-hmr

Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...

Denial of Service in uws

Affected versions of uws do not properly handle large websocket messages when permessage-deflate is enabled, which may result in a denial of service condition. If uws recieves a 256Mb websocket message when permessage-deflate is enabled, the server will compress the message prior to executing the...

libvncserver: websocket decoding buffer overflow

A flaw was found in libvncserver. A heap-based buffer overflow within the websocket decoding functionality is possible, which can lead to exploitation by a malicious attacker to overwrite a function pointer. The highest threat from this vulnerability is to data confidentiality and integrity as we...

RHEL 8 : libvncserver (RHSA-2020:3588)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:3588 advisory. LibVNCServer is a C library that enables you to implement VNC server functionality into own programs. Security Fixes: libvncserver: websocket decodin...

Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities - Apache Tomcat 7.099 (CVE-2020-13935)

Summary Apache Tomcat 7.099 is vulnerable to a denial of service, caused by improper validation of the payload length in a WebSocket frame. By sending multiple requests with invalid payload lengths, a remote attacker could exploit this vulnerability to cause the application to enter into an...

CVE-2020-24548

Ericom Access Server 9.2.0 for AccessNow and Ericom Blaze allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to inform the attacker about closed ports...

CVE-2020-24548

Ericom Access Server 9.2.0 for AccessNow and Ericom Blaze allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to inform the attacker about closed ports...

CVE-2020-24548

Ericom Access Server 9.2.0 for AccessNow and Ericom Blaze allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to inform the attacker about closed ports...

Server side request forgery (ssrf)

Ericom Access Server 9.2.0 for AccessNow and Ericom Blaze allows SSRF to make outbound WebSocket connection requests on arbitrary TCP ports, and provides "Cannot connect to" error messages to inform the attacker about closed ports...