GHSA-wwgf-3xp7-cxj4

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwgf-3xp7-cxj4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-wwgf-3xp7-cxj4/GHSA-wwgf-3xp7-cxj4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wwgf-3xp7-cxj4
Published
2020-07-07T16:33:45Z
Modified
2024-12-02T05:46:10.369849Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Potentially sensitive data exposure in Symfony Web Socket Bundle
Details

Impact

Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish(), messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch() does not succeed. The dispatch() method can be considered to not succeed if (depending on the version of the bundle) the callback defined on a topic route is misconfigured, a Gos\Bundle\WebSocketBundle\Topic\TopicInterface implementation is not found for the callback, a topic which also implements Gos\Bundle\WebSocketBundle\Topic\SecuredTopicInterface rejects the connection, or an Exception is unhandled. This can result in an unintended broadcast to the websocket server potentially with data that should be considered sensitive.

Patches

In 1.10.4, 2.6.1, and 3.3.0, Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish() has been changed to no longer broadcast an event's data if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch() fails.

Workarounds

Upgrade to 1.10.4, 2.6.1, and 3.3.0

Note, the 1.x branch is considered end of support as of July 1, 2020.

For more information

If you have any questions or comments about this advisory: * Open an issue in this repository

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-07T16:21:44Z"
}
References

Affected packages

Packagist / gos/web-socket-bundle

Package

Name
gos/web-socket-bundle
Purl
pkg:composer/gos/web-socket-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.4

Affected versions

V1.*

V1.1.0

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.8.10
v1.8.11
v1.8.12-rc1
v1.8.12-rc2
v1.8.12-rc3
v1.8.12-rc4
v1.8.12-rc5
v1.8.12-rc6
v1.8.12
v1.8.13
v1.9.0-rc1
v1.9.0-rc2
v1.9.0-rc3
v1.9.0-rc4
v1.9.0
v1.10.0
v1.10.1
v1.10.2
v1.10.3

Packagist / gos/web-socket-bundle

Package

Name
gos/web-socket-bundle
Purl
pkg:composer/gos/web-socket-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.6.1

Affected versions

v2.*

v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.5.0
v2.6.0

Packagist / gos/web-socket-bundle

Package

Name
gos/web-socket-bundle
Purl
pkg:composer/gos/web-socket-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.3.0

Affected versions

v3.*

v3.0.0
v3.1.0
v3.2.0