9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.1%
When establishing a server-mode TLSSocket
using fs2-io
on Node.js, the parameter requestCert = true
is ignored, peer certificate verification is skipped, and the connection proceeds.
The vulnerability is limited to:
fs2-io
running on Node.js. The JVM TLS implementation is completely independent.TLSSocket
s in server-mode. Client-mode TLSSocket
s are implemented via a different API.requestCert = true
in TLSParameters
. The default setting is false
for server-mode TLSSocket
s.It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.
A patch is released in v3.2.11. The requestCert = true
parameter is respected and the peer certificate is verified. If verification fails, a SSLException
is raised.
If using an unpatched version on Node.js, do not use a server-mode TLSSocket
with requestCert = true
to establish a mTLS connection.
If you have any questions or comments about this advisory:
github.com/nodejs/node/issues/43994
github.com/typelevel/fs2
github.com/typelevel/fs2/commit/19ce392e8093d9571387dbd78e159e655a85aeea
github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207
github.com/typelevel/fs2/releases/tag/v3.2.11
github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35
nvd.nist.gov/vuln/detail/CVE-2022-31183