Описание
Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await to wait for the verification result. Every time the function responds back with success, along with an unhandled exception if the token is invalid. A patch is available in version 2.6.0.
Ссылки
- Issue TrackingThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
- Issue TrackingThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.3.2 (включая) до 2.6.0 (исключая)
cpe:2.3:a:chat_server_project:chat_server:*:*:*:*:*:*:*:*
EPSS
Процентиль: 65%
0.00495
Низкий
9.1 Critical
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-287
CWE-20
EPSS
Процентиль: 65%
0.00495
Низкий
9.1 Critical
CVSS3
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-287
CWE-20