CVE编号
CVE-2022-21676利用情况
暂无补丁情况
N/A披露时间
2022-01-13漏洞描述
Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package starting from version `4.0.0`, including those who uses depending packages like `socket.io`. Versions prior to `4.0.0` are not impacted. A fix has been released for each major branch, namely `4.1.2` for the `4.x.x` branch, `5.2.1` for the `5.x.x` branch, and `6.1.1` for the `6.x.x` branch. There is no known workaround except upgrading to a safe version.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/socketio/engine.io/commit/66f889fc1d966bf5bfa0de1939069153643874ab | |
| https://github.com/socketio/engine.io/commit/a70800d7e96da32f6e6622804ef659ebc58659db | |
| https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c | |
| https://github.com/socketio/engine.io/releases/tag/4.1.2 | |
| https://github.com/socketio/engine.io/releases/tag/5.2.1 | |
| https://github.com/socketio/engine.io/releases/tag/6.1.1 | |
| https://github.com/socketio/engine.io/security/advisories/GHSA-273r-mgr4-v34f |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | socket | engine.io | * |
From (including) 4.0.0 |
Up to (excluding) 4.1.2 |
||||
| 运行在以下环境 | |||||||||
| 应用 | socket | engine.io | * |
From (including) 5.0.0 |
Up to (excluding) 5.2.1 |
||||
| 运行在以下环境 | |||||||||
| 应用 | socket | engine.io | * |
From (including) 6.0.0 |
Up to (excluding) 6.1.1 |
||||
- 攻击路径 网络
- 攻击复杂度 低
- 权限要求 无
- 影响范围 未更改
- 用户交互 无
- 可用性 高
- 保密性 无
- 完整性 无
还没有评论,来说两句吧...