CVE-2017-16031

Опубликовано: 04 июн. 2018

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random() to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.

Ссылки

https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
Issue Tracking
Patch
Third Party Advisory
https://github.com/socketio/socket.io/issues/856
Issue Tracking
Third Party Advisory
https://github.com/socketio/socket.io/pull/857
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/321
Third Party Advisory
https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
Issue Tracking
Patch
Third Party Advisory
https://github.com/socketio/socket.io/issues/856
Issue Tracking
Third Party Advisory
https://github.com/socketio/socket.io/pull/857
Issue Tracking
Third Party Advisory
https://nodesecurity.io/advisories/321
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:socket:socket.io:*:*:*:*:*:node.js:*:*

Версия до 0.9.6 (включая)

EPSS

Процентиль: 59%

0.00385

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-330

Связанные уязвимости

GHSA-qv2v-m59f-v5fw