socket.io-1.3.7.tgz: 14 vulnerabilities (highest severity is: 8.1) #7
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
dev-mend-for-github-com
bot
added
the
security vulnerability
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.3.7.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io/package.json
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Vulnerabilities
Details
Vulnerable Library - xmlhttprequest-1.5.0.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest/-/xmlhttprequest-1.5.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/xmlhttprequest/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest): 1.7.0
Direct dependency fix Resolution (socket.io): 1.4.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ws-0.8.0.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn't do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
Publish Date: 2018-05-31
URL: CVE-2016-10518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10518
Release Date: 2018-05-31
Fix Resolution (ws): 1.0.1
Direct dependency fix Resolution (socket.io): 1.4.1
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ws-0.8.0.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a
wsserver, it is possible to crash the node process. This affects ws 1.1.0 and earlier.Publish Date: 2018-05-31
URL: CVE-2016-10542
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-05-31
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.5.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - engine.io-1.5.4.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-1.5.4.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 4.0.0-alpha.0
Direct dependency fix Resolution (socket.io): 3.0.0-rc1
⛑️ Automatic Remediation is available for this issue
Vulnerable Libraries - socket.io-parser-2.2.2.tgz, socket.io-parser-2.2.4.tgz
socket.io-parser-2.2.2.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.2.2.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
socket.io-parser-2.2.4.tgz
socket.io protocol parser
Library home page: https://registry.npmjs.org/socket.io-parser/-/socket.io-parser-2.2.4.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.
Publish Date: 2021-01-08
URL: CVE-2020-36049
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049
Release Date: 2021-01-08
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (socket.io): 2.2.0
Fix Resolution (socket.io-parser): 3.3.2
Direct dependency fix Resolution (socket.io): 2.2.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - parsejson-0.0.1.tgz
Method that parses a JSON string and returns a JSON object
Library home page: https://registry.npmjs.org/parsejson/-/parsejson-0.0.1.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/parsejson/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
Publish Date: 2018-06-07
URL: CVE-2017-16113
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16113
Release Date: 2018-06-07
Fix Resolution: no_fix
Vulnerable Library - ws-0.8.0.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
Affected version of ws (0.2.6 through 3.3.0 excluding 0.3.4-2, 0.3.5-2, 0.3.5-3, 0.3.5-4, 1.1.5, 2.0.0-beta.0, 2.0.0-beta.1 and 2.0.0-beta.2) are vulnerable to A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.
Publish Date: 2017-11-08
URL: WS-2017-0421
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: websockets/ws@c4fe466
Release Date: 2017-11-08
Fix Resolution (ws): 1.1.5
Direct dependency fix Resolution (socket.io): 1.7.4
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ws-0.8.0.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
By sending an overly long websocket payload to a ws server, it is possible to crash the node process.
Publish Date: 2016-06-23
URL: WS-2016-0040
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: N/A
- Attack Complexity: N/A
- Privileges Required: N/A
- User Interaction: N/A
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/120/versions
Release Date: 2016-06-23
Fix Resolution (ws): 1.1.1
Direct dependency fix Resolution (socket.io): 1.5.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ms-0.6.2.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8315
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8315
Release Date: 2017-01-23
Fix Resolution (ms): 0.7.1
Direct dependency fix Resolution (socket.io): 1.4.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ws-0.8.0.tgz
simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455
Library home page: https://registry.npmjs.org/ws/-/ws-0.8.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/ws/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
websockets uses Math.random function to generate masking key. This function is not random enough allowing an attacker to easily guess the key. Having the key an attacker can read the payload causing potential information disclosure.
Publish Date: 2016-09-20
URL: WS-2017-0107
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: websockets/ws#832
Release Date: 2016-09-20
Fix Resolution (ws): 1.1.2
Direct dependency fix Resolution (socket.io): 1.7.3
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - engine.io-client-1.5.4.tgz
Client for the realtime Engine
Library home page: https://registry.npmjs.org/engine.io-client/-/engine.io-client-1.5.4.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the
rejectUnauthorizedsetting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client 1.6.8 and earlier passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in asnull, resulting in certificate verification being turned off.Publish Date: 2018-05-31
URL: CVE-2016-10536
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10536
Release Date: 2018-05-31
Fix Resolution: JetBrains.Rider.Frontend5 - 212.0.20210826.92917,212.0.20211008.220753;engine.io-client - 1.6.9
Vulnerable Libraries - debug-1.0.3.tgz, debug-0.7.4.tgz, debug-1.0.2.tgz, debug-2.1.0.tgz, debug-1.0.4.tgz
debug-1.0.3.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.3.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/debug/package.json
Dependency Hierarchy:
debug-0.7.4.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-0.7.4.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io-client/node_modules/debug/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io-parser/node_modules/debug/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/socket.io-parser/node_modules/debug/package.json
Dependency Hierarchy:
debug-1.0.2.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.2.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/debug/package.json
Dependency Hierarchy:
debug-2.1.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.1.0.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/debug/package.json
Dependency Hierarchy:
debug-1.0.4.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-1.0.4.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (socket.io): 2.0.2
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - socket.io-1.3.7.tgz
node.js realtime framework server
Library home page: https://registry.npmjs.org/socket.io/-/socket.io-1.3.7.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/socket.io/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.
Publish Date: 2021-01-19
URL: CVE-2020-28481
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28481
Release Date: 2021-01-19
Fix Resolution: 2.4.0
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - ms-0.6.2.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz
Path to dependency file: /assets/reveal.js/plugin/multiplex/package.json
Path to vulnerable library: /assets/reveal.js/plugin/multiplex/node_modules/engine.io-client/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/engine.io/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io/node_modules/ms/package.json,/assets/reveal.js/plugin/multiplex/node_modules/socket.io-adapter/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: e5594a228e351da3651ce49551431e005c6c817c
Found in base branch: main
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution (ms): 2.0.0
Direct dependency fix Resolution (socket.io): 2.0.2
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: