Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-13410: fix: catch writeToStream errors by robertsLando · Pull Request #493 · moscajs/aedes

An issue was discovered in MoscaJS Aedes 0.42.0. lib/write.js does not properly consider exceptions during the writing of an invalid packet to a stream.

CVE
#js#perl

@mcollina I’m 👍 for the test but why this isn’t working?

// Catch invalid packet writeToStream errors test('reject client requested for unsupported protocol version’, function (t) { t.plan(3)

const broker = aedes() t.tearDown(broker.close.bind(broker))

const s = setup(broker)

var packet = [ 16, 22, 0, 4, 77, 81, 84, 84, 4, 2, 0, 0, 0, 10, 109, 121, 99, 108, 105, 101, 110, 116, 105, 100, 85, 0 ]

s.inStream.write(Buffer.from(packet))

s.outStream.on('data’, function (packet) { t.fail(‘no data sent’) }) broker.on('connectionError’, function (client, err) { t.equal(client.version, null) t.equal(err.message, ‘Unknown command’) t.equal(broker.connectedClients, 0) }) })

I mean, it works as test but it doesn’t make that function throw

P.S: I asked to the guy of the email to try this fix and he told me that this has fixed the bug 🎉

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907