CVE-2017-16031
HIGH7.5EPSS 0.39%Insecure randomness in socket.io
發布日:2018/11/7修改日:2023/11/8
描述
Affected versions of `socket.io` depend on `Math.random()` to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. ## Recommendation Update to v0.9.7 or later.
受影響套件(1)
- npm/socket.iofrom 0, < 0.9.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(7)
- ADVISORYhttps://github.com/advisories/GHSA-qv2v-m59f-v5fw
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-16031
- PATCHhttps://github.com/socketio/socket.io
- WEBhttps://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8
- WEBhttps://github.com/socketio/socket.io/issues/856
- WEBhttps://github.com/socketio/socket.io/pull/857
- WEBhttps://www.npmjs.com/advisories/321