GHSA-4r4m-hjwj-43p8

Source

https://github.com/advisories/GHSA-4r4m-hjwj-43p8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4r4m-hjwj-43p8/GHSA-4r4m-hjwj-43p8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4r4m-hjwj-43p8

Aliases

CVE-2016-10536

Published

2019-02-18T23:39:50Z

Modified

2023-11-08T03:58:11.209416Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Insecure Defaults Allow MITM Over TLS in engine.io-client

Details

Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks.

The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as undefined or null, certificate verification will be disabled.

Recommendation

Update to version 1.6.9 or later.

If you are unable to upgrade, ensure all calls to socket.io to have a rejectedUnauthorized: true flag.

Database specific

{
    "github_reviewed_at": "2020-06-16T20:58:54Z",
    "cwe_ids": [
        "CWE-300"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / engine.io-client

Package

Name: engine.io-client; View open source insights on deps.dev
Purl: pkg:npm/engine.io-client

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.9