DIVD-2022-00045 - Injection vulnerability found within Socket.io
| Our reference | DIVD-2022-00045 | 
| Case lead | Ralph Horn | 
| Author | Victor Pasman | 
| Researcher(s) | 
 | 
| CVE(s) | |
| Product | Socket.io | 
| Versions | 4.x < 4.2.1 | 
| Recommendation | If you received a notification of a vulnerability, patch your system with the information provided in this notification. | 
| Patch status | Available | 
| Status | Closed | 
| Last modified | 01 Jun 2023 09:11 CEST | 
Summary
By leveraging the vulnerabilities, an unauthenticated attacker with network access to the application using Socket.io can execute arbitrary system commands.
What you can do
We recommend to use the latest version of Socket.io
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
Timeline
| Date | Description | 
|---|---|
| 29 Apr 2022 | Vulnerability discovered by Thomas Rinsma from Codean. | 
| 25 May 2022 | Testing by DIVD conforms that the vulnerabilities are still present in the product. | 
| 27 Jun 2022 | Vendor releases new update and asks us to retest vulnerabilities. | 
| 13 Jul 2022 | We confirm vulnerabilities have been fixed. | 
| 25 Oct 2022 | Limited Disclosure | 
| 22 Feb 2023 | Case closed. | 
	gantt
	    title DIVD-2022-00045 - Injection vulnerability found within Socket.io
	    dateFormat  YYYY-MM-DD
	    axisFormat  %e %b %Y
	    section Case
	    DIVD-2022-00045 - Injection vulnerability found within Socket.io (299 days)            :2022-04-29, 2023-02-22
	    section Events
		Vulnerability discovered by Thomas Rinsma from Codean. :  milestone, 2022-04-29, 0d
				Testing by DIVD conforms that the vulnerabilities are still present in the product. :  milestone, 2022-05-25, 0d
				Vendor releases new update and asks us to retest vulnerabilities. :  milestone, 2022-06-27, 0d
				We confirm vulnerabilities have been fixed. :  milestone, 2022-07-13, 0d
				Limited Disclosure :  milestone, 2022-10-25, 0d
				Case closed. :  milestone, 2023-02-22, 0d