1856371 – (CVE-2020-7693) CVE-2020-7693 npmjs-sockjs: incorrect handling of upgrade header with the value websocket leads to DoS

Bug 1856371 (CVE-2020-7693) - CVE-2020-7693 npmjs-sockjs: incorrect handling of upgrade header with the value websocket leads to DoS

Summary: CVE-2020-7693 npmjs-sockjs: incorrect handling of upgrade header with the val...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-7693
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1856408 1856409 1856410 1856411 1857039 1859405
Blocks:	1856373
TreeView+	depends on / blocked

Reported:	2020-07-13 13:31 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-11-04 14:54 UTC (History)
CC List:	16 users (show)
Fixed In Version:	npmjs-sockjs 0.3.20
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-04 14:54:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-07-13 13:31:17 UTC

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

References:
https://snyk.io/vuln/SNYK-JS-SOCKJS-575261
https://github.com/sockjs/sockjs-node/issues/252

Comment 3 Mark Cooper 2020-07-15 01:43:11 UTC

In OpenShift 4 the container openshift/ose-prometheus packages a vulnerable version of npm-sockjs (0.3.19). 

It is present in the Prometheus ReactUI which is unused in OpenShift, but can still be manually accessed via the URL.

Comment 4 Florencio Cano 2020-07-17 09:26:00 UTC

Mitigation:

There is no mitigation for this issue, the flaw can only be resolved by applying updates.

Note You need to log in before you can comment on or make changes to this bug.