Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/ws@1.0.1
Typenpm
Namespace
Namews
Version1.0.1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.1.1
Latest_non_vulnerable_version3.3.1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-1h47-fru4-1ugx
vulnerability_id VCID-1h47-fru4-1ugx
summary 
Improper Restriction of Operations within the Bounds of a Memory Buffer
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
references
0
reference_url https://gist.github.com/c0nrad/e92005446c480707a74a
reference_id
reference_type
scores
url https://gist.github.com/c0nrad/e92005446c480707a74a
1
reference_url https://github.com/websockets/ws/releases/tag/1.0.1
reference_id
reference_type
scores
url https://github.com/websockets/ws/releases/tag/1.0.1
2
reference_url https://nodesecurity.io/advisories/67
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/67
3
reference_url https://www.npmjs.com/advisories/67
reference_id
reference_type
scores
url https://www.npmjs.com/advisories/67
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-10518
reference_id CVE-2016-10518
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2016-10518
5
reference_url https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
reference_id GHSA-2mhh-w6q8-5hxw
reference_type
scores
url https://github.com/advisories/GHSA-2mhh-w6q8-5hxw
fixed_packages
0
url pkg:npm/ws@1.0.1
purl pkg:npm/ws@1.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.0.1
aliases CVE-2016-10518, GHSA-2mhh-w6q8-5hxw
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1h47-fru4-1ugx
1
url VCID-8ke9-r4b8-cfd6
vulnerability_id VCID-8ke9-r4b8-cfd6
summary 
Remote Memory Disclosure
When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.
references
0
reference_url https://github.com/websockets/ws/releases/tag/1.0.1
reference_id
reference_type
scores
url https://github.com/websockets/ws/releases/tag/1.0.1
fixed_packages
0
url pkg:npm/ws@1.0.1
purl pkg:npm/ws@1.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.0.1
aliases GMS-2016-2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8ke9-r4b8-cfd6
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/ws@1.0.1