Bug 2293192 (CVE-2024-38355)
| Summary: | CVE-2024-38355 socket.io: Unhandled 'error' event | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bdettelb, caswilli, chazlett, doconnor, gmalinko, hkataria, janstey, jcantril, jsamir, kaycoth, kshier, pdelbell, pjindal, rstepani, sthirugn, teagle, vkrizan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | socket.io 2.5.1, socket.io 4.6.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in Socket.IO where a specially crafted packet can trigger an uncaught exception on the server, causing the Node.js process to crash. When the server receives this malformed packet, it results in an unhandled error event that stops the Socket.IO server from functioning correctly. This issue arises because the server fails to manage unexpected errors properly, leading to a disruption in service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2293886, 2293888, 2293890, 2293891, 2293892, 2293893, 2293887 | ||
| Bug Blocks: | |||
|
Description
Avinash Hanwate
2024-06-20 05:57:48 UTC
Created magicmirror tracking bugs for this issue: Affects: fedora-all [bug 2293886] Created python-socketio tracking bugs for this issue: Affects: fedora-all [bug 2293887] Created qt6-qtwebengine tracking bugs for this issue: Affects: fedora-all [bug 2293888] |