CVE-2020-7663
Description
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Risk Information
Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
2.42
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-7663 are fixed in Ruby-websocket-extensions 0.1.5 | Windows |
| Generic extension manager for WebSocket (USN-4502-1) ruby-websocket-extensions_0.1.2-1+deb9u1build0.18.04.1_all.deb | Linux |
| Generic extension manager for WebSocket (USN-4502-1) ruby-websocket-extensions_0.1.2-1+deb9u1build0.20.04.1_all.deb | Linux |
| Vulnerabilities CVE-2020-7663 are fixed in Ruby-websocket-extensions for Linux 0.1.5 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234