Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-10518

UNKNOWN
Published 2018-05-31T20:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-10518. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

HackerOne

ws node module

Affected Versions:

<= 1.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed LOW

Remote Memory Disclosure in ws

GHSA-2mhh-w6q8-5hxw

Advisory Details

Versions of `ws` prior to 1.0.1 are affected by a remote memory disclosure vulnerability. In certain rare circumstances, applications which allow users to control the arguments of a `client.ping()` call will cause `ws` to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks. ## Proof of Concept ``` var ws = require('ws') var server = new ws.Server({ port: 9000 }) var client = new ws('ws://localhost:9000') client.on('open', function () { console.log('open') client.ping(50) // this sends a non-zeroed buffer of 50 bytes client.on('pong', function (data) { console.log('got pong') console.log(data) // Data from the client. }) }) ``` ## Recommendation Update to version 1.0.1 or greater.

Affected Packages

npm ws
ECOSYSTEM: ≥0 <1.0.1

CVSS Scoring

CVSS Score

2.5

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-10518
WEB https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795
WEB https://gist.github.com/c0nrad/e92005446c480707a74a
ADVISORY https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
WEB https://github.com/websockets/ws/releases/tag/1.0.1
WEB https://www.npmjs.com/advisories/67

Advisory provided by GitHub Security Advisory Database. Published: February 18, 2019, Modified: August 31, 2020

References

https://github.com/websockets/ws/releases/tag/1.0.1
https://nodesecurity.io/advisories/67
https://gist.github.com/c0nrad/e92005446c480707a74a
Published: 2018-05-31T20:00:00Z
Last Modified: 2024-09-17T02:57:19.095Z
Copied to clipboard!