CVE-2022-31013

Sažetak

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

Reference

https://github.com/ramank775/chat-server/discussions/78
https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277
https://github.com/ramank775/chat-server/releases/tag/v2.6.0

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

14-06-2022 - 22:33

Objavljeno

31-05-2022 - 23:15