Information disclosure in Socket.io

Published: 2018-08-08 12:51:00
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-16031
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software socket.io
Vulnerable software versions socket.io 0.9.6
socket.io 0.9.5
socket.io 0.9.4

Show more

Vendor URL socket.io

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the Math.random() pseudorandom number generator of the affected software creates predictable socket IDs. A remote attacker can guess the socket ID and make a request to gain access to sensitive information.

Remediation

Update to version 0.9.7.

External links

https://github.com/socketio/socket.io/issues/856

Back to List