Lucene search

GitHub_MCVELIST:CVE-2022-31013

HistoryMay 31, 2022 - 10:35 p.m.

CVE-2022-31013 Authentication bypass in Vartalap chat-server

2022-05-3122:35:11

CWE-287

GitHub_M

www.cve.org

cve-2022-31013

vartalap chat-server

authentication bypass

bug

access token

async function

unhandled exception

patch available

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

57.0%

JSON

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

CNA Affected

[
  {
    "product": "chat-server",
    "vendor": "ramank775",
    "versions": [
      {
        "status": "affected",
        "version": ">= 2.3.2, < 2.6.0"
      }
    ]
  }
]

References

github.com/ramank775/chat-server/discussions/78

github.com/ramank775/chat-server/releases/tag/v2.6.0

github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

57.0%

JSON

Related for CVELIST:CVE-2022-31013