CVE Vulnerability

CVE-2020-36406

** DISPUTED ** uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in uWS::TopicTree::trimTree (called from uWS::TopicTree::unsubscribeAll). NOTE: the vendor's position is that this is "a minor issue or not even an issue at all" because the developer of an application (that uses uWebSockets) should not be allowing the large number of triggered topics to accumulate.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/uwebsockets/OSV-2020-1695.yaml Third Party Advisory
https://github.com/uNetworking/uWebSockets/commit/03fca626a95130ab80f86adada54b29d27242759 Patch Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25381 Exploit Issue Tracking
Configurations

Configuration 1
Information

Published : 2021-07-01 03:15

Updated : 2022-04-29 01:55

NVD link : CVE-2020-36406

Mitre link : CVE-2020-36406

Products Affected
No products.
CWE
CWE-787