Home > Vulnerability Database > CVE-2017-16031

Mend.io Vulnerability Database

CVE-2017-16031

Good to know:

Date: June 4, 2018

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on "Math.random()" to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.

Language: JS

Severity Score

7.5

Related Resources (9)

Url: https://github.com/socketio/socket.io/pull/857

Url: https://github.com/socketio/socket.io

Url: https://github.com/advisories/GHSA-qv2v-m59f-v5fw

Url: https://github.com/socketio/socket.io/commit/67b4eb9abdf111dfa9be4176d1709374a2b4ded8

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-16031

Url: https://nodesecurity.io/advisories/321

Url: https://github.com/socketio/socket.io/issues/856

Url: https://www.npmjs.com/advisories/321

Url: https://www.mend.io/vulnerability-database/CVE-2017-16031

Severity Score

7.5

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Top Fix

Upgrade Version

Upgrade to version socket.io - 0.9.7;socket.io - 0.9.7

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-16031

Good to know:

Date: June 4, 2018

Language: JS

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?