CVE-2022-31013
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ramank775 | chat-server | >= 2.3.2, < 2.6.0 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277
- https://github.com/ramank775/chat-server/discussions/78
- https://github.com/ramank775/chat-server/releases/tag/v2.6.0
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277
- https://github.com/ramank775/chat-server/discussions/78
- https://github.com/ramank775/chat-server/releases/tag/v2.6.0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.