CVE-2022-31013

Source
https://cve.org/CVERecord?id=CVE-2022-31013
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31013.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-31013
Aliases
  • GHSA-xx4j-qqpp-v277
Published
2022-05-31T22:35:11Z
Modified
2026-04-02T07:58:34.643763Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Authentication bypass in Vartalap chat-server
Details

Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31013.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/ramank775/chat-server

Affected ranges

Type
GIT
Repo
https://github.com/ramank775/chat-server
Events

Affected versions

v2.*
v2.3.2
v2.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31013.json"