CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 4CVE-2020-7662 – npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
https://notcve.org/view.php?id=CVE-2020-7662
websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. El módulo de npm websocket-extensions versiones anteriores a 0.1.4 permite una denegación de servicio (DoS) por medio de Regex Backtracking. El analizador de extensiones puede tardar un tiempo cuadrático cuando analiza un encabezado que contiene un valor de parámetro de cadena no cerrado cuyo contenido es una secuencia repetitiva de dos bytes de una barra diagonal inversa y algún otro carácter. • https://github.com/ossf-cve-benchmark/CVE-2020-7662 https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237 https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623 https://access.redhat.com/security/cve/CVE-2020-7662 https://bugzilla.redhat.com/show_bug.cgi?id=1845982 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 1CVE-2020-7663 – rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
https://notcve.org/view.php?id=CVE-2020-7663
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header. El módulo de ruby websocket-extensions versiones anteriores a 0.1.5, permite una denegación de servicio (DoS) por medio de Regex Backtracking. El analizador de extensiones puede tomar un tiempo cuadrático cuando analiza un encabezado que contiene un valor de parámetro de cadena no cerrado cuyo contenido es una secuencia repetitiva de dos bytes de una barra diagonal inversa y algún otro carácter. • https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830 https://usn.ubuntu.com/4502-1 https://access.redhat.com/security/cve/CVE-2020-7663 https://bugzilla.redhat.com/show • CWE-400: Uncontrolled Resource Consumption •