CVE-2021-32640

Description

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [--max-http-header-size=size](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [maxHeaderSize](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

Risk Information

Base Score

5.3

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

Exploitation Probability

0.522

Associated Vulnerability

Vulnerability	OS Platform
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.15	Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 10.11	Windows
Multiple Vulnerabilities are affected in IBM WebMethods Integration Server 11.1	Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234