Skip to content
This repository has been archived by the owner on Oct 15, 2023. It is now read-only.

WebSocket Usage must be fixed

Critical
nicokempe published GHSA-v73x-x7pc-429v Jul 25, 2021

Package

No package listed

Affected versions

* -> 2021.7.1

Patched versions

2021.7.3

Description

Impact

By using WS, sensitive data could have been misused by outsiders or viewed in general. This would have fatal consequences for our shop system and the privacy of users. With the upcoming release of our 2021.7.3 version, this problem will be officially resolved.

Explanation

The wss protocol establishes a WebSocket over an encrypted TLS connection, while the ws protocol uses an unencrypted connection. At this point, the network connection remains open and can be used to send WebSocket messages in either direction.

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVE ID

No known CVE

Weaknesses

No CWEs

Credits