search

artkamote / examples

Serverless Examples – A collection of boilerplates and examples of serverless architectures built with the Serverless Framework on AWS Lambda, Microsoft Azure, Google Cloud Functions, and more.
https://www.serverless.com/examples/
Other
0 stars 0 forks source link

CVE-2024-37890 (High) detected in multiple libraries #387

Open mend-bolt-for-github[bot] opened 1 week ago

mend-bolt-for-github[bot] commented 1 week ago

CVE-2024-37890 - High Severity Vulnerability

Vulnerable Libraries - ws-3.3.3.tgz, ws-6.1.4.tgz, ws-6.2.1.tgz, ws-5.2.2.tgz, ws-7.4.6.tgz, ws-6.2.2.tgz, ws-7.3.1.tgz, ws-8.2.3.tgz, ws-5.2.3.tgz, ws-7.5.5.tgz

ws-3.3.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-3.3.3.tgz

Path to dependency file: /aws-node-oauth-dropbox-api/package.json

Path to vulnerable library: /aws-node-oauth-dropbox-api/node_modules/ws/package.json

Dependency Hierarchy: - chromeless-1.5.2.tgz (Root Library) - chrome-remote-interface-0.25.6.tgz - :x: **ws-3.3.3.tgz** (Vulnerable Library)

ws-6.1.4.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.1.4.tgz

Path to dependency file: /aws-node-typescript-apollo-lambda/package.json

Path to vulnerable library: /aws-node-typescript-apollo-lambda/node_modules/engine.io-client/node_modules/ws/package.json

Dependency Hierarchy: - serverless-1.79.0.tgz (Root Library) - components-2.34.6.tgz - platform-client-china-1.0.33.tgz - utils-china-0.1.23.tgz - socket.io-client-2.3.0.tgz - engine.io-client-3.4.3.tgz - :x: **ws-6.1.4.tgz** (Vulnerable Library)

ws-6.2.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.1.tgz

Path to dependency file: /aws-node-typescript-apollo-lambda/package.json

Path to vulnerable library: /aws-node-typescript-apollo-lambda/node_modules/ws/package.json

Dependency Hierarchy: - apollo-server-lambda-2.16.1.tgz (Root Library) - apollo-server-core-2.16.1.tgz - :x: **ws-6.2.1.tgz** (Vulnerable Library)

ws-5.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.2.tgz

Path to dependency file: /aws-node-graphql-and-rds/package.json

Path to vulnerable library: /aws-node-graphql-and-rds/node_modules/ws/package.json,/aws-node-fullstack/frontend/node_modules/ws/package.json,/aws-node-typescript-apollo-lambda/node_modules/subscriptions-transport-ws/node_modules/ws/package.json,/aws-node-typescript-nest/node_modules/ws/package.json

Dependency Hierarchy: - graphql-yoga-1.17.4.tgz (Root Library) - subscriptions-transport-ws-0.9.16.tgz - :x: **ws-5.2.2.tgz** (Vulnerable Library)

ws-7.4.6.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.4.6.tgz

Path to dependency file: /aws-rust-simple-http-endpoint/package.json

Path to vulnerable library: /aws-rust-simple-http-endpoint/node_modules/engine.io-client/node_modules/ws/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/engine.io-client/node_modules/ws/package.json,/aws-golang-auth-examples/node_modules/engine.io-client/node_modules/ws/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/engine.io-client/node_modules/ws/package.json,/aws-node-dynamic-image-resizer/node_modules/engine.io-client/node_modules/ws/package.json,/aws-node-typescript-nest/node_modules/serverless-offline/node_modules/ws/package.json,/aws-node-rest-api-typescript-simple/node_modules/engine.io-client/node_modules/ws/package.json,/aws-node-http-api-typescript/node_modules/engine.io-client/node_modules/ws/package.json

Dependency Hierarchy: - serverless-1.83.3.tgz (Root Library) - components-2.34.9.tgz - platform-client-china-1.1.0.tgz - utils-china-0.1.28.tgz - socket.io-client-2.4.0.tgz - engine.io-client-3.5.2.tgz - :x: **ws-7.4.6.tgz** (Vulnerable Library)

ws-6.2.2.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-6.2.2.tgz

Path to dependency file: /aws-node-http-api-typescript/package.json

Path to vulnerable library: /aws-node-http-api-typescript/node_modules/@serverless/platform-sdk/node_modules/ws/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/@serverless/platform-sdk/node_modules/ws/package.json,/aws-golang-auth-examples/node_modules/@serverless/platform-sdk/node_modules/ws/package.json,/aws-rust-simple-http-endpoint/node_modules/@serverless/platform-sdk/node_modules/ws/package.json,/aws-node-puppeteer/node_modules/ws/package.json,/aws-node-rest-api-typescript-simple/node_modules/@serverless/platform-sdk/node_modules/ws/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/@serverless/platform-sdk/node_modules/ws/package.json

Dependency Hierarchy: - serverless-1.83.3.tgz (Root Library) - enterprise-plugin-3.8.4.tgz - platform-sdk-2.3.2.tgz - :x: **ws-6.2.2.tgz** (Vulnerable Library)

ws-7.3.1.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.3.1.tgz

Path to dependency file: /aws-node-typescript-apollo-lambda/package.json

Path to vulnerable library: /aws-node-typescript-apollo-lambda/node_modules/serverless/node_modules/ws/package.json,/aws-node-typescript-apollo-lambda/node_modules/@serverless/platform-client/node_modules/ws/package.json,/aws-node-typescript-apollo-lambda/node_modules/serverless-offline/node_modules/ws/package.json,/aws-node-typescript-apollo-lambda/node_modules/@serverless/platform-client-china/node_modules/ws/package.json,/azure-node-typescript-servicebus-trigger-endpoint/node_modules/ws/package.json

Dependency Hierarchy: - serverless-offline-6.8.0.tgz (Root Library) - :x: **ws-7.3.1.tgz** (Vulnerable Library)

ws-8.2.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-8.2.3.tgz

Path to dependency file: /aws-node-rest-api-typescript/package.json

Path to vulnerable library: /aws-node-rest-api-typescript/node_modules/ws/package.json,/aws-node-puppeteer/node_modules/hapi-plugin-websocket/node_modules/ws/package.json

Dependency Hierarchy: - serverless-offline-5.12.1.tgz (Root Library) - hapi-plugin-websocket-2.3.7.tgz - :x: **ws-8.2.3.tgz** (Vulnerable Library)

ws-5.2.3.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-5.2.3.tgz

Path to dependency file: /aws-node-dynamic-image-resizer/package.json

Path to vulnerable library: /aws-node-dynamic-image-resizer/node_modules/ws/package.json

Dependency Hierarchy: - serverless-1.83.3.tgz (Root Library) - enterprise-plugin-3.8.4.tgz - platform-sdk-2.3.2.tgz - :x: **ws-5.2.3.tgz** (Vulnerable Library)

ws-7.5.5.tgz

Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js

Library home page: https://registry.npmjs.org/ws/-/ws-7.5.5.tgz

Path to dependency file: /aws-node-http-api-typescript/package.json

Path to vulnerable library: /aws-node-http-api-typescript/node_modules/ws/package.json,/aws-golang-dynamo-stream-to-elasticsearch/node_modules/ws/package.json,/aws-node-http-api-dynamodb-local/node_modules/ws/package.json,/aws-rust-simple-http-endpoint/node_modules/ws/package.json,/aws-golang-auth-examples/node_modules/ws/package.json,/aws-python-auth0-custom-authorizers-api/node_modules/ws/package.json,/aws-node-rest-api-with-dynamodb-and-offline/node_modules/ws/package.json,/aws-node-dynamic-image-resizer/node_modules/serverless/node_modules/ws/package.json,/aws-node-fullstack/backend/node_modules/ws/package.json,/aws-node-rest-api-typescript-simple/node_modules/ws/package.json,/aws-node-dynamic-image-resizer/node_modules/@serverless/platform-client/node_modules/ws/package.json,/aws-node-dynamic-image-resizer/node_modules/@serverless/platform-client-china/node_modules/ws/package.json,/aws-node-vue-nuxt-ssr/node_modules/ws/package.json

Dependency Hierarchy: - nuxt-2.15.8.tgz (Root Library) - webpack-2.15.8.tgz - webpack-bundle-analyzer-4.5.0.tgz - :x: **ws-7.5.5.tgz** (Vulnerable Library)

Found in HEAD commit: dcbe4aefe4b3685f4b15493a01db0f19b118a0c4

Found in base branch: master

Vulnerability Details

ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

Publish Date: 2024-06-17

URL: CVE-2024-37890

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q

Release Date: 2024-06-17

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless): 1.80.0-06ed01b8

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (apollo-server-lambda): 2.17.0

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (graphql-yoga): 1.18.0

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless): 2.0.0-05627d62

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless): 2.0.0-05627d62

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless-offline): 6.9.0

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless-offline): 6.0.0

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (serverless): 2.0.0-05627d62

Fix Resolution (ws): 5.2.4

Direct dependency fix Resolution (nuxt): 2.16.0

Step up your Open Source Security Game with Mend here