CVE-2024-38355

EPSS 0.14%
Veröffentlicht 19.06.2024 20:15:11
Zuletzt bearbeitet 21.11.2024 09:25:25
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. This issue is fixed by commit `15af22fc22` which has been included in `socket.io@4.6.2` (released in May 2023). The fix was backported in the 2.x branch as well with commit `d30630ba10`. Users are advised to upgrade. Users unable to upgrade may attach a listener for the "error" event to catch these errors.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellersocket

≫

Produkt socket.io

Default Statusunknown

Version < 2.5.1

Version 0

Status affected

Version < 4.6.2

Version 3.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.341

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115

https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

https://github.com/socketio/socket.io/security/advisories/GHSA-25hc-qcg6-38wj

https://www.vicarius.io/vsociety/posts/unhandled-exception-in-socketio-cve-2024-38355

https://nvd.nist.gov/vuln/detail/CVE-2024-38355

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-38355

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-38355

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-38355