{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-27813", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T16:25:44.139Z", "dateReserved": "2020-10-27T00:00:00", "datePublished": "2020-12-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-05-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections."}], "affected": [{"vendor": "n/a", "product": "golang-github-gorilla-websocket", "versions": [{"version": "github.com/gorilla/websocket v1.4.1", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902111"}, {"url": "https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh"}, {"name": "[debian-lts-announce] 20210106 [SECURITY] [DLA 2520-1] golang-websocket security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00008.html"}, {"name": "[debian-lts-announce] 20230513 [SECURITY] [DLA 3420-1] golang-websocket security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00012.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-190->CWE-400", "cweId": "CWE-190"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:25:44.139Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902111", "tags": ["x_transferred"]}, {"url": "https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20210106 [SECURITY] [DLA 2520-1] golang-websocket security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00008.html"}, {"name": "[debian-lts-announce] 20230513 [SECURITY] [DLA 3420-1] golang-websocket security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00012.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gorillatoolkit:websocket:*:*:*:*:*:*:*:*", "matchCriteriaId": "352B9531-5BB0-4C4D-9A9F-6E2B27A0B2C0", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de desbordamiento de enteros con la longitud de las tramas de websocket recibidos por medio de una conexi\u00f3n de websocket. Un atacante podr\u00eda usar este fallo para causar un ataque de denegaci\u00f3n de servicio en un Servidor HTTP permitiendo conexiones websocket"}], "id": "CVE-2020-27813", "lastModified": "2023-11-07T03:21:01.617", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-02T01:15:12.780", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902111"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00008.html"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00012.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-190"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0833", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-cluster-autoscaler-0:3.11.404-1.git.0.2c258fe.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-03-25T00:00:00Z"}, {"advisory": "RHSA-2021:0190", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/compliance-rhel8-operator:v4.6.0-97", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-01-19T00:00:00Z"}, {"advisory": "RHSA-2021:0190", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/compliance-rhel8-operator-metadata:v4.6.0.97-1", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2021-01-19T00:00:00Z"}, {"advisory": "RHSA-2020:5364", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/cnf-tests-rhel8:v4.7.0-34", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:5364", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/dpdk-base-rhel8:v4.7.0-6", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:5364", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/performance-addon-operator-bundle-registry-container-rhel8:v4.7.0-612", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:5364", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/performance-addon-operator-must-gather-rhel8:v4.7.0-72", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:5364", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/performance-addon-rhel8-operator:v4.7.0-30", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2020:5633", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-console:v4.7.0-202102130115.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:0100", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/file-integrity-rhel8-operator:v4.7.0-9", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:1561", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "openshift4/ose-hyperkube:v4.7.0-202105160013.p0", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2021-05-24T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-cpu-model-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-cpu-node-labeller-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "kubevirt-kvm-info-nfd-plugin-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0799", "cpe": "cpe:/a:redhat:container_native_virtualization:2.6::el8", "package": "vm-import-controller-container", "product_name": "Red Hat OpenShift Virtualization 2", "release_date": "2021-03-10T00:00:00Z"}, {"advisory": "RHSA-2021:0187", "cpe": "cpe:/a:redhat:container_native_virtualization:2.5::el8", "package": "container-native-virtualization/vm-import-controller-rhel8:v2.5.3-4", "product_name": "RHEL-8-CNV-2.5", "release_date": "2021-01-19T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/kubernetes-nmstate-handler-rhel8:v4.8.0-21", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/kubevirt-v2v-conversion:v4.8.0-10", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/kubevirt-vmware:v4.8.0-11", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/node-maintenance-operator:v4.8.0-19", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/vm-import-controller:v4.8.0-18", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/vm-import-controller-rhel8:v4.8.0-18", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/vm-import-operator-rhel8:v4.8.0-18", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}, {"advisory": "RHSA-2021:2920", "cpe": "cpe:/a:redhat:container_native_virtualization:4.8::el8", "package": "container-native-virtualization/vm-import-virtv2v-rhel8:v4.8.0-18", "product_name": "RHEL-8-CNV-4.8", "release_date": "2021-07-28T00:00:00Z"}], "bugzilla": {"description": "golang-github-gorilla-websocket: integer overflow leads to denial of service", "id": "1902111", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902111"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-190->CWE-400", "details": ["An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.", "An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker could use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections."], "name": "CVE-2020-27813", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-apicast-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "websocket", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-etcd", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-thanos-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-hive-operator-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "package_name": "rhai-tech-preview/assisted-installer-agent-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "package_name": "rhai-tech-preview/assisted-installer-reporter-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Will not fix", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "hyperconverged-cluster-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "kubevirt-template-validator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "virt-controller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "virt-handler", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "virt-launcher", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "virt-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "vm-import-controller", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Affected", "package_name": "vm-import-operator", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay-operator", "product_name": "Red Hat Quay 3"}], "public_date": "2019-08-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-27813\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27813\nhttps://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh"], "threat_severity": "Moderate", "upstream_fix": "github.com/gorilla/websocket v1.4.1"}