Vulnerability Details : CVE-2018-21036
Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2018-21036
- cpe:2.3:a:sailsjs:sails:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-21036
0.71%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-21036
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-21036
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-21036
-
http://www.openwall.com/lists/oss-security/2020/07/19/1
oss-security - CVE-2018-21036: Sails.js before v1.0.0-46 DoSMailing List;Third Party Advisory
-
https://github.com/balderdashy/sails-hook-sockets/commit/0533a4864b1920fd8fbb5287bc0889193c5faf44
Follow up to ff02114eaec090ee51db48435cc32d451662606e to ensure req.p… · balderdashy/sails-hook-sockets@0533a48 · GitHubPatch;Third Party Advisory
-
https://github.com/balderdashy/sails-hook-sockets/commit/ff02114eaec090ee51db48435cc32d451662606e
Define req.path for socket requests. · balderdashy/sails-hook-sockets@ff02114 · GitHubPatch;Third Party Advisory
-
https://github.com/balderdashy/sails/blob/56f8276f6501a144a03d1f0f28df4ccdb4ad82e2/CHANGELOG.md
sails/CHANGELOG.md at 56f8276f6501a144a03d1f0f28df4ccdb4ad82e2 · balderdashy/sails · GitHubThird Party Advisory
Jump to