CVE-2022-31013

Authentication bypass in Vartalap chat-server

Description

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function `this.authProvider.verifyAccessKey` is an async function, as the code is not using `await` to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

References

Link	Tags
https://github.com/ramank775/chat-server/security/advisories/GHSA-xx4j-qqpp-v277	third party advisory patch
https://github.com/ramank775/chat-server/discussions/78	third party advisory issue tracking
https://github.com/ramank775/chat-server/releases/tag/v2.6.0	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-31013?: CVE-2022-31013 has been scored as a critical severity vulnerability.
How to fix CVE-2022-31013?: To fix CVE-2022-31013, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-31013 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-31013 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-31013?: CVE-2022-31013 affects ramank775 chat-server.

Description

Categories

CWE-287 – Improper Authentication

CWE-20 – Improper Input Validation

References

Frequently Asked Questions