mouse170 / motor-control-test Goto Github PK

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /motor-control-test/node_modules/ws/package.json

Dependency Hierarchy:

• ❌ ws-0.4.32.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

Publish Date: 2018-05-31

URL: CVE-2016-10518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518

Release Date: 2018-05-31

Fix Resolution: 1.0.0

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /motor-control-test/node_modules/ws/package.json

Dependency Hierarchy:

• ❌ ws-0.4.32.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

Depending on the JavaScript engine, Math.random can be anywhere between extremely insecure and cryptographically pseudo-random.
Versions which use Math.random can produce predictable values, thus shall not be used.

Publish Date: 2016-09-20

URL: WS-2017-0107

CVSS 2 Score Details (5.9)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: websockets/ws@7253f06

Release Date: 2016-11-25

Fix Resolution: Replace or update the following file: Sender.js

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /motor-control-test/node_modules/ws/package.json

Dependency Hierarchy:

• ❌ ws-0.4.32.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

By sending an overly long websocket payload to a ws server, it is possible to crash the node process.

Publish Date: 2016-06-24

URL: WS-2016-0040

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/120

Release Date: 2016-06-24

Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /motor-control-test/node_modules/ws/package.json

Dependency Hierarchy:

• ❌ ws-0.4.32.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a ws server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Publish Date: 2018-05-31

URL: CVE-2016-10542

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858

Release Date: 2018-12-15

Fix Resolution: v2.4.24

Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerable Library - parsejson-0.0.3.tgz

Method that parses a JSON string and returns a JSON object

Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.3.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /tmp/git/motor-control-test/node_modules/parsejson/package.json

Dependency Hierarchy:

• socket.io-1.7.4.tgz (Root Library)
  • socket.io-client-1.7.4.tgz
    • engine.io-client-1.8.5.tgz
      • ❌ parsejson-0.0.3.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Publish Date: 2018-06-07

URL: CVE-2017-16113

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Libraries - ws-0.4.32.tgz, ws-1.1.5.tgz

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

Affected version of ws (0.2.6--3.3.0) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

Publish Date: 2017-11-08

URL: WS-2017-0421

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/550/versions

Release Date: 2019-01-24

Fix Resolution: 3.3.1

Vulnerable Libraries - debug-2.3.3.tgz, debug-2.2.0.tgz

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Change files

Origin: debug-js/debug@42a6ae0

Release Date: 2017-09-21

Fix Resolution: Replace or update the following file: node.js

Vulnerable Library - ws-0.4.32.tgz

simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455

Library home page: https://registry.npmjs.org/ws/-/ws-0.4.32.tgz

Path to dependency file: /motor-control-test/package.json

Path to vulnerable library: /motor-control-test/node_modules/ws/package.json

Dependency Hierarchy:

• ❌ ws-0.4.32.tgz (Vulnerable Library)

Found in HEAD commit: 72b723c157eec5a678f27835d5d1da90d1734715

Vulnerability Details

DoS in ws module due to excessively large websocket message.

Publish Date: 2016-06-24

URL: WS-2016-0031

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/120

Release Date: 2016-06-24

Fix Resolution: Update to version 1.1.1 of ws, or if that is not possible, set the `maxpayload` option for the `ws` server - make sure the value is less than 256MB.