Skip to content

CVE-2020-7693 (Medium) detected in sockjs-0.3.18.tgz, sockjs-0.3.19.tgz #3

New issue
New issue
Open
Open
CVE-2020-7693 (Medium) detected in sockjs-0.3.18.tgz, sockjs-0.3.19.tgz#3
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jan 13, 2022

CVE-2020-7693 - Medium Severity Vulnerability

Vulnerable Libraries - sockjs-0.3.18.tgz, sockjs-0.3.19.tgz

sockjs-0.3.18.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.18.tgz

Path to dependency file: /fixtures/concurrent/time-slicing/package.json

Path to vulnerable library: /fixtures/concurrent/time-slicing/package.json,/fixtures/ssr/package.json,/fixtures/expiration/package.json,/fixtures/dom/package.json,/fixtures/fiber-debugger/node_modules/sockjs/package.json,/fixtures/attribute-behavior/package.json

Dependency Hierarchy:

  • react-scripts-1.1.4.tgz (Root Library)
    • webpack-dev-server-2.9.4.tgz
      • sockjs-0.3.18.tgz (Vulnerable Library)
sockjs-0.3.19.tgz

SockJS-node is a server counterpart of SockJS-client a JavaScript library that provides a WebSocket-like object in the browser. SockJS gives you a coherent, cross-browser, Javascript API which creates a low latency, full duplex, cross-domain communication

Library home page: https://registry.npmjs.org/sockjs/-/sockjs-0.3.19.tgz

Path to dependency file: /fixtures/flight/package.json

Path to vulnerable library: /fixtures/flight/package.json,/package.json,/fixtures/blocks/package.json

Dependency Hierarchy:

  • webpack-dev-server-3.2.1.tgz (Root Library)
    • sockjs-0.3.19.tgz (Vulnerable Library)

Found in HEAD commit: 4669645897ed4ebcd4ee037f4dabb509ed4754c7

Found in base branch: master

Vulnerability Details

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Publish Date: 2020-07-09

URL: CVE-2020-7693

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-09

Fix Resolution (sockjs): 0.3.20

Direct dependency fix Resolution (react-scripts): 3.4.2

Fix Resolution (sockjs): 0.3.20

Direct dependency fix Resolution (webpack-dev-server): 3.11.0

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions