WS-2017-0107 Medium Severity Vulnerability detected by WhiteSource #16
Description
WS-2017-0107 - Medium Severity Vulnerability
Vulnerable Library - ws-1.1.1.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
path: null
Library home page: https://registry.npmjs.org/ws/-/ws-1.1.1.tgz
Dependency Hierarchy:
- browser-sync-2.21.0.tgz (Root Library)
- socket.io-client-1.6.0.tgz
- engine.io-client-1.8.0.tgz
- ❌ ws-1.1.1.tgz (Vulnerable Library)
- engine.io-client-1.8.0.tgz
- socket.io-client-1.6.0.tgz
Vulnerability Details
Depending on the JavaScript engine, Math.random can be anywhere between extremely insecure and cryptographically pseudo-random.
Versions which use Math.random can produce predictable values, thus shall not be used.
Publish Date: 2016-09-20
URL: WS-2017-0107
CVSS 2 Score Details (5.9)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: websockets/ws@7253f06
Release Date: 2016-11-25
Fix Resolution: Replace or update the following file: Sender.js
Step up your Open Source Security Game with WhiteSource here