High severityNVD Advisory· Published Jun 2, 2020· Updated Aug 4, 2024
CVE-2020-7663
CVE-2020-7663
Description
websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
websocket-extensionsRubyGems | < 0.1.5 | 0.1.5 |
Affected products
9- websocket-extensions/websocket-extensionsdescription
- ghsa-coords8 versionspkg:gem/websocket-extensionspkg:rpm/opensuse/ruby3.2-rubygem-websocket-extensions&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-websocket-extensions&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-websocket-extensions&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-websocket-extensions&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-websocket-extensions&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-websocket-extensions&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-websocket-extensions&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4
< 0.1.5+ 7 more
- (no CPE)range: < 0.1.5
- (no CPE)range: < 0.1.5-1.16
- (no CPE)range: < 0.1.3-150000.3.4.1
- (no CPE)range: < 0.1.5-1.20
- (no CPE)range: < 0.1.3-150000.3.4.1
- (no CPE)range: < 0.1.3-150000.3.4.1
- (no CPE)range: < 0.1.3-150000.3.4.1
- (no CPE)range: < 0.1.3-150000.3.4.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-g6wq-qcwm-j5g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7663ghsaADVISORY
- usn.ubuntu.com/4502-1/mitrevendor-advisoryx_refsource_UBUNTU
- blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensionsghsax_refsource_MISCWEB
- github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838bghsax_refsource_MISCWEB
- github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/websocket-extensions/CVE-2020-7663.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2020/08/msg00031.htmlghsamailing-listx_refsource_MLISTWEB
- snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830ghsax_refsource_MISCWEB
- usn.ubuntu.com/4502-1ghsaWEB
News mentions
0No linked articles in our index yet.