Lucene search

[email protected]CVE-2022-31183

HistoryAug 01, 2022 - 8:15 p.m.

CVE-2022-31183

2022-08-0120:15:08

CWE-295

[email protected]

web.nvd.nist.gov

cve

2022

31183

fs2

scala

node.js

tlssocket

mtls

vulnerability

patch

sslexception

security

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.1%

JSON

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on Node.js. The JVM TLS implementation is completely independent. 2. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API. 3. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

Affected configurations

Vulners

NVD

Node

typelevelfs2Range3.1.0–3.2.11

VendorProductVersionCPE
typelevelfs2*cpe:2.3:a:typelevel:fs2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typelevel	fs2	*	cpe:2.3:a:typelevel:fs2::::::::

CNA Affected

[
  {
    "product": "fs2",
    "vendor": "typelevel",
    "versions": [
      {
        "status": "affected",
        "version": ">= 3.1.0, < 3.2.11"
      }
    ]
  }
]