Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for socket.io by socket
CVE-2020-28481 (GCVE-0-2020-28481)
Vulnerability from cvelistv5 – Published: 2021-01-19 14:45 – Updated: 2024-09-16 20:11
VLAI
Title
Insecure Defaults
Summary
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Severity
CWE
- Insecure Defaults
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358 | x_refsource_MISC |
| https://github.com/socketio/socket.io/issues/3671 | x_refsource_MISC |
Impacted products
Date Public
2021-01-19 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ni8walk3r"
}
],
"datePublic": "2021-01-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Defaults",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T14:45:16.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "Insecure Defaults",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-01-19T14:44:58.073500Z",
"ID": "CVE-2020-28481",
"STATE": "PUBLIC",
"TITLE": "Insecure Defaults"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ni8walk3r"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Defaults"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"name": "https://github.com/socketio/socket.io/issues/3671",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/3671"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28481",
"datePublished": "2021-01-19T14:45:17.064Z",
"dateReserved": "2020-11-12T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:11:33.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16031 (GCVE-0-2017-16031)
Vulnerability from cvelistv5 – Published: 2018-06-04 19:00 – Updated: 2024-09-16 21:07
VLAI
Summary
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Severity
No CVSS data available.
CWE
- Account Hijacking
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/socketio/socket.io/commit/67b4… | x_refsource_MISC |
| https://github.com/socketio/socket.io/issues/856 | x_refsource_MISC |
| https://github.com/socketio/socket.io/pull/857 | x_refsource_MISC |
| https://nodesecurity.io/advisories/321 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | socket.io node module |
Affected:
<=0.9.6
|
Date Public
2018-04-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:06.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.9.6"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Account Hijacking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-04T18:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16031",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io node module",
"version": {
"version_data": [
{
"version_value": "\u003c=0.9.6"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Account Hijacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"name": "https://github.com/socketio/socket.io/issues/856",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"name": "https://github.com/socketio/socket.io/pull/857",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"name": "https://nodesecurity.io/advisories/321",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16031",
"datePublished": "2018-06-04T19:00:00.000Z",
"dateReserved": "2017-10-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:07:25.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28481 (GCVE-0-2020-28481)
Vulnerability from nvd – Published: 2021-01-19 14:45 – Updated: 2024-09-16 20:11
VLAI
Title
Insecure Defaults
Summary
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Severity
CWE
- Insecure Defaults
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357 | x_refsource_MISC |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358 | x_refsource_MISC |
| https://github.com/socketio/socket.io/issues/3671 | x_refsource_MISC |
Impacted products
Date Public
2021-01-19 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io",
"vendor": "n/a",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ni8walk3r"
}
],
"datePublic": "2021-01-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitCodeMaturity": "PROOF_OF_CONCEPT",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 4.8,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Defaults",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-19T14:45:16.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/3671"
}
],
"title": "Insecure Defaults",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2021-01-19T14:44:58.073500Z",
"ID": "CVE-2020-28481",
"STATE": "PUBLIC",
"TITLE": "Insecure Defaults"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ni8walk3r"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Defaults"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
},
{
"name": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
},
{
"name": "https://github.com/socketio/socket.io/issues/3671",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/3671"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2020-28481",
"datePublished": "2021-01-19T14:45:17.064Z",
"dateReserved": "2020-11-12T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:11:33.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16031 (GCVE-0-2017-16031)
Vulnerability from nvd – Published: 2018-06-04 19:00 – Updated: 2024-09-16 21:07
VLAI
Summary
Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.
Severity
No CVSS data available.
CWE
- Account Hijacking
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/socketio/socket.io/commit/67b4… | x_refsource_MISC |
| https://github.com/socketio/socket.io/issues/856 | x_refsource_MISC |
| https://github.com/socketio/socket.io/pull/857 | x_refsource_MISC |
| https://nodesecurity.io/advisories/321 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HackerOne | socket.io node module |
Affected:
<=0.9.6
|
Date Public
2018-04-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:06.634Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "socket.io node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "\u003c=0.9.6"
}
]
}
],
"datePublic": "2018-04-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Account Hijacking",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-04T18:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodesecurity.io/advisories/321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-04-26T00:00:00",
"ID": "CVE-2017-16031",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "socket.io node module",
"version": {
"version_data": [
{
"version_value": "\u003c=0.9.6"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Account Hijacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8"
},
{
"name": "https://github.com/socketio/socket.io/issues/856",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/issues/856"
},
{
"name": "https://github.com/socketio/socket.io/pull/857",
"refsource": "MISC",
"url": "https://github.com/socketio/socket.io/pull/857"
},
{
"name": "https://nodesecurity.io/advisories/321",
"refsource": "MISC",
"url": "https://nodesecurity.io/advisories/321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-16031",
"datePublished": "2018-06-04T19:00:00.000Z",
"dateReserved": "2017-10-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:07:25.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}