CVE-2016-10518

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.

Se ha encontrado una vulnerabilidad en la funcionalidad ping del módulo ws en versiones anteriores a la 1.0.0 que permite que los clientes asignen memoria mediante el envío de un frame ping. Por defecto, la funcionalidad ping responde con un frame pong y la carga útil dada anteriormente del frame ping. Esto es exactamente lo que se espera, pero, internamente, ws siempre transforma todos los datos que se necesitan enviar a una instancia Buffer, donde existía la vulnerabilidad. ws no realizó ninguna comprobación para el tipo de datos que estaba enviando. Con los búfers en node, cuando se asigna con un número en lugar de una cadena, asignará la cantidad de bytes.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-29 CVE Reserved
2018-05-31 CVE Published
2023-10-22 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-201: Insertion of Sensitive Information Into Sent Data

CAPEC

References (3)

URL	Tag	Source
https://github.com/websockets/ws/releases/tag/1.0.1	Release Notes
https://nodesecurity.io/advisories/67	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://gist.github.com/c0nrad/e92005446c480707a74a	2019-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ws Project Search vendor "Ws Project"		Ws Search vendor "Ws Project" for product "Ws"				< 1.0.1 Search vendor "Ws Project" for product "Ws" and version " < 1.0.1"		node.js		Affected