Information disclosure in Socket.io

Published: 2018-08-08 12:51:00
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-16031
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software socket.io
Vulnerable software versions socket.io 0.9.6
socket.io 0.9.5
socket.io 0.9.4
Show more
Vendor URL socket.io

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the Math.random() pseudorandom number generator of the affected software creates predictable socket IDs. A remote attacker can guess the socket ID and make a request to gain access to sensitive information.

Remediation

Update to version 0.9.7.

External links

https://github.com/socketio/socket.io/issues/856

Back to List