Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Affected version and product name accurate? #1

Open
rwhitworth opened this issue Feb 14, 2020 · 1 comment
Open

Affected version and product name accurate? #1

rwhitworth opened this issue Feb 14, 2020 · 1 comment

Comments

@rwhitworth
Copy link

I'm concerned the public text of CVE-2020-8823 isn't well defined enough for development teams to patch the affected library. Can you provide more details to help? Specifically the concern is that product name and version number do not match clearly with SockJS.

SockJS seems to be a product family and not a single product. The entire product family does not look to be affected, and the issue seems to reside in sockjs-node. Is this correct?

The version number is also confusing, as sockjs-node is currently listed as being v0.3.19. Was the library released on another platform as version 3.0?

It would be appreciated if you can help update the CVE text to be more clear about what is affected. I assume this has been reported to the authors of SockJS. They may be able to help pinpoint exactly what needs to be updated in the wording

@mvs5465
Copy link

mvs5465 commented Nov 12, 2020

@rwhitworth according to this https://snyk.io/vuln/SNYK-JS-SOCKJS-548397 it applies to version 0.3.0 of sockjs or lower so this CVE seems to be wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants