CVE-2021-32640 - OpenCVE

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ws Project	Ws
Netapp	E-series Performance Analyzer

Configuration 1 [-]

OR	cpe:2.3:a:ws_project:ws::::::node.js::*
	cpe:2.3:a:ws_project:ws::::::node.js::*

Configuration 2 [-]

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff	Patch Third Party Advisory
https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693	Exploit Mitigation Patch Third Party Advisory
https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E
https://security.netapp.com/advisory/ntap-20210706-0005/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-05-25T18:25:09

Updated: 2021-07-06T07:06:26

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32640

JSON object: View

NVD Information

Status : Modified

Published: 2021-05-25T19:15:07.767

Modified: 2023-11-07T03:35:20.380

Link: CVE-2021-32640

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"containers": {"cna": {"affected": [{"product": "ws", "vendor": "websockets", "versions": [{"status": "affected", "version": ">= 5.0.0 <= 7.4.5"}]}], "descriptions": [{"lang": "en", "value": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-06T07:06:26", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"}, {"name": "[tinkerpop-commits] 20210701 [tinkerpop] 01/03: Bumped ws to 6.2.2 to address CVE-2021-32640 CTR", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210706-0005/"}], "source": {"advisory": "GHSA-6fc8-4gx4-v693", "discovery": "UNKNOWN"}, "title": "ReDoS in Sec-Websocket-Protocol header", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32640", "STATE": "PUBLIC", "TITLE": "ReDoS in Sec-Websocket-Protocol header"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ws", "version": {"version_data": [{"version_value": ">= 5.0.0 <= 7.4.5"}]}}]}, "vendor_name": "websockets"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693", "refsource": "CONFIRM", "url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"}, {"name": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff", "refsource": "MISC", "url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"}, {"name": "[tinkerpop-commits] 20210701 [tinkerpop] 01/03: Bumped ws to 6.2.2 to address CVE-2021-32640 CTR", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20210706-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210706-0005/"}]}, "source": {"advisory": "GHSA-6fc8-4gx4-v693", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32640", "datePublished": "2021-05-25T18:25:09", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2021-07-06T07:06:26", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ws_project:ws:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "17BC31A7-9CB8-47EC-89C4-A4809CE9E47D", "versionEndExcluding": "6.2.2", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ws_project:ws:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "5CCD3F79-60EA-49AB-B02C-327182F655A8", "versionEndExcluding": "7.4.6", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options."}, {"lang": "es", "value": "ws es una biblioteca de servidor y cliente WebSocket de c\u00f3digo abierto para Node.js. Un valor especialmente dise\u00f1ado del encabezado \"Sec-Websocket-Protocol\" puede ser usado para ralentizar significativamente un servidor ws. La vulnerabilidad ha sido corregida en la versi\u00f3n ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). En las versiones vulnerables de ws, el problema puede ser mitigado al reducir la longitud m\u00e1xima permitida de los encabezados de petici\u00f3n utilizando [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) y/o las opciones [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener)"}], "id": "CVE-2021-32640", "lastModified": "2023-11-07T03:35:20.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-25T19:15:07.767", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693"}, {"source": "security-advisories@github.com", "url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30%40%3Ccommits.tinkerpop.apache.org%3E"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210706-0005/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}