OESA-2022-2093

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2093

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2022-2093.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2022-2093

Upstream

CVE-2020-7663

Published

2022-11-11T11:04:36Z

Modified

2025-08-12T05:06:42.824471Z

Summary

rubygem-websocket-extensions security update

Details

Generic extension manager for WebSocket connections.

Security Fix(es):

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.(CVE-2020-7663)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:22.03-LTS / rubygem-websocket-extensions

Package

Name: rubygem-websocket-extensions
Purl: pkg:rpm/openEuler/rubygem-websocket-extensions&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.2-2.oe2203

Ecosystem specific

{
    "noarch": [
        "rubygem-websocket-extensions-doc-0.1.2-2.oe2203.noarch.rpm",
        "rubygem-websocket-extensions-0.1.2-2.oe2203.noarch.rpm"
    ],
    "src": [
        "rubygem-websocket-extensions-0.1.2-2.oe2203.src.rpm"
    ]
}