CVE-2021-32640 — MEDIUM (5.3)

Q: How severe is CVE-2021-32640?

CVE-2021-32640 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32640?

Check the references section above for vendor advisories and patch information. Affected products include: Ws Project Ws, Netapp E-Series Performance Analyzer.

Vulnerability Description

ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Ws Project	Ws	>= 5.0.0, < 6.2.2
Netapp	E-Series Performance Analyzer	-

Related Weaknesses (CWE)

CWE-400

References

https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ffPatchThird Party Advisory
https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693ExploitMitigationPatch
https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89
https://security.netapp.com/advisory/ntap-20210706-0005/Third Party Advisory
https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ffPatchThird Party Advisory
https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693ExploitMitigationPatch
https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89
https://security.netapp.com/advisory/ntap-20210706-0005/Third Party Advisory

FAQ

What is CVE-2021-32640?

CVE-2021-32640 is a vulnerability with a CVSS score of 5.3 (MEDIUM). ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerabi...

How severe is CVE-2021-32640?

CVE-2021-32640 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32640?

Check the references section above for vendor advisories and patch information. Affected products include: Ws Project Ws, Netapp E-Series Performance Analyzer.