Vulnerability Description
Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chat Server Project | Chat Server | >= 2.3.2, < 2.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/ramank775/chat-server/discussions/78Issue TrackingThird Party Advisory
- https://github.com/ramank775/chat-server/releases/tag/v2.6.0Release NotesThird Party Advisory
- https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277PatchThird Party Advisory
- https://github.com/ramank775/chat-server/discussions/78Issue TrackingThird Party Advisory
- https://github.com/ramank775/chat-server/releases/tag/v2.6.0Release NotesThird Party Advisory
- https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277PatchThird Party Advisory
FAQ
What is CVE-2022-31013?
CVE-2022-31013 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The ...
How severe is CVE-2022-31013?
CVE-2022-31013 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-31013?
Check the references section above for vendor advisories and patch information. Affected products include: Chat Server Project Chat Server.