Veracode Vulnerability DatabaseVERACODE:30741Regular Expression Denial Of Service (ReDoS)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
ws is vulnerable to regular expression denial of service. An attacker is able to cause excessive CPU consumption that can lead to an application crash by submitting a malicious value of Sec-Websocket-Protocol.
| CPE | Name | Operator | Version |
|---|---|---|---|
| node-ws:sid | eq | 7.4.2+~cs18.0.8-1 | |
| node-ws:sid | eq | 7.4.0+~cs18.0.6-1 | |
| node-ws:sid | eq | 7.4.2+~cs18.0.8-1 | |
| node-ws:sid | eq | 7.4.0+~cs18.0.6-1 |
References
github.com/advisories/GHSA-6fc8-4gx4-v693
github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
github.com/websockets/ws/issues/1895
github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E
security-tracker.debian.org/tracker/CVE-2021-32640
security.netapp.com/advisory/ntap-20210706-0005/
www.linkedin.com/in/robmcl4
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P