CVE-2023-30591
CVSS V2 None
CVSS V3 None
Description
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.
Overview
- CVE ID
- CVE-2023-30591
- Assigner
- STAR_Labs
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-09-29T05:06:43.923Z
- Last Modified Date
- 2023-09-29T05:06:43.923Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://starlabs.sg/advisories/23/23-30591/ | third-party-advisory |
| https://github.com/NodeBB/NodeBB/commit/37b48b82a4bc7680c6e4c42647209010cb239c2c | patch |
| https://github.com/NodeBB/NodeBB/commit/830f142b7aea2e597294a84d52c05aab3a3539ca | patch |
| https://github.com/NodeBB/NodeBB/commit/4d2d76897a02e7068ab74c81d17a2febfae8bfb9 | patch |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-30591 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30591 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 17:25:43 | Added to TrackCVE |