CVE-2020-7693 : Incorrect handling of Upgrade header with the value websocket leads in crashing

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

Published 2020-07-09 14:15:11

Updated 2022-07-12 17:42:04

Source Snyk

View at NVD, CVE.org

Products affected by CVE-2020-7693

Sockjs Project » Sockjs » For Node.js
Versions before (<) 0.3.20
cpe:2.3:a:sockjs_project:sockjs:*:*:*:*:*:node.js:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7693

EPSS FAQ

11.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7693

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Snyk
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2020-7693

CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-7693

https://github.com/andsnw/sockjs-dos-py

GitHub - andsnw/sockjs-dos-py: SockJS 0.3.19 Denial of Service POC
Exploit;Third Party Advisory
https://github.com/sockjs/sockjs-node/issues/252

ERR_STREAM_WRITE_AFTER_END when issuing upgrade request on non-existent URL · Issue #252 · sockjs/sockjs-node · GitHub
Exploit;Patch;Third Party Advisory
https://snyk.io/vuln/SNYK-JS-SOCKJS-575261

Denial of Service (DoS) in sockjs | Snyk
Exploit;Third Party Advisory
https://github.com/sockjs/sockjs-node/commit/dd7e642cd69ee74385825816d30642c43e051d16

Merge pull request #266 from cakoose/backport-writeHead-fix · sockjs/sockjs-node@dd7e642 · GitHub
Patch;Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575448

Denial of Service (DoS) in org.webjars.npm:sockjs | Snyk
Exploit;Third Party Advisory
https://github.com/sockjs/sockjs-node/pull/265

Call res.write instead of res.end in writeHead by brycekahle · Pull Request #265 · sockjs/sockjs-node · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-7693

Products affected by CVE-2020-7693

Exploit prediction scoring system (EPSS) score for CVE-2020-7693

CVSS scores for CVE-2020-7693

CWE ids for CVE-2020-7693

References for CVE-2020-7693