Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
MISC - https://github.com/nodejs/node/issues/7388
MISC - https://nodesecurity.io/advisories/120
Vulnerable Software & Versions:
cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions
dependency check
mvn clean org.owasp:dependency-check-maven:3.3.2:checkreturnsmediumseverity vulnerability if dependency jar contains word-ws. moreover description suggests, it is relevant to node js platform.CPE
cpe:/a:ws_project:ws:1.1.0::~~~node.js~~ and all previous versions
Description
Reproducing the false positive vulnerability
mvn clean installmvn clean org.owasp:dependency-check-maven:3.3.2:checkon later project.