Security vulnerabilities in version 3.0

This page lists all known and fixed security vulnerabilities in version 3.0 (back to the list of all versions).

Overview: 1 vulnerability

WSA CVE Score Severity Issue Scope Vulnerability type Versions Fix Release date
WSA-2021-1 CVE-2021-40516 7.5
Crash on malformed websocket frame in relay plugin. Relay Out-of-bounds read 0.4.1 → 3.2 3.2.1

WSA-2021-1: [Relay] Crash on malformed websocket frame in relay plugin.

Vulnerability
CVE
CVE-2021-40516 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
Relay
Affected versions
0.4.1 → 3.2
Fixed version
3.2.1 () - ChangeLog
Tracker
Not available
Commits
Description
A crash happens when decoding a malformed websocket frame in relay plugin.
This happens even if a password is set in relay plugin, the malformed websocket frame can be received before the authentication of the client.
Mitigation
There are multiple ways to mitigate this issue:
Credit
The issue was discovered by Stuart Nevans Locke.