Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/engine.io-client@1.6.9

Type npm

Namespace

Name engine.io-client

Version 1.6.9

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 1.6.9

Latest_non_vulnerable_version 1.6.9

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-j7pj-53sk-pbex

vulnerability_id VCID-j7pj-53sk-pbex

summary

Insecure Defaults Allow MITM Over TLS
There's a flaw in the way that node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client passes in an object for settings that includes the `rejectUnauthorized` property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as `null`, resulting in certificate verification being turned off.

references

reference_url	https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1
reference_id
reference_type
scores
url	https://github.com/socketio/engine.io-client/commit/2c55b278a491bf45313ecc0825cf800e2f7ff5c1

reference_url	https://www.cigital.com/blog/node-js-socket-io/
reference_id
reference_type
scores
url	https://www.cigital.com/blog/node-js-socket-io/

fixed_packages

url	pkg:npm/engine.io-client@1.6.9
purl	pkg:npm/engine.io-client@1.6.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/engine.io-client@1.6.9

aliases GMS-2016-31

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j7pj-53sk-pbex

url VCID-rucu-tmtk-duew

vulnerability_id VCID-rucu-tmtk-duew

summary

Improper Certificate Validation
`engine.io-client` is the client for `engine.io`, the implementation of a transport-based `cross-browser/cross-device` bi-directional communication layer for `Socket.IO.` The vulnerability is related to the way that Node.js handles the `rejectUnauthorized` setting. If the value is something that evaluates to false, certificate verification will be disabled.

references

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-10536
reference_id	CVE-2016-10536
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-10536

fixed_packages

url	pkg:npm/engine.io-client@1.6.9
purl	pkg:npm/engine.io-client@1.6.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/engine.io-client@1.6.9

aliases CVE-2016-10536

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rucu-tmtk-duew

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/engine.io-client@1.6.9

Package Instance