PT-2021-12045 · Unknown · Uwebsockets
Published
2021-07-01
·
Updated
2024-08-04
·
CVE-2020-36406
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
uWebSockets versions 18.11.0 through 18.12.0
Description:
The issue is related to a stack-based buffer overflow in the
uWS::TopicTree::trimTree function, which is called from uWS::TopicTree::unsubscribeAll. The vendor disputes the severity of this issue, stating it is minor or not an issue at all, as developers should not allow a large number of triggered topics to accumulate.Recommendations:
For versions 18.11.0 and 18.12.0, consider restricting the number of triggered topics to prevent accumulation and minimize the risk of exploitation.
As a temporary workaround, consider disabling the
uWS::TopicTree::trimTree function until a patch is available.
Restrict access to the uWS::TopicTree::unsubscribeAll function to minimize the risk of exploitation.Exploit
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Uwebsockets