Vulnerability DatabaseCVE-2022-31183
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-31183
August 01, 2022
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode "TLSSocket" using "fs2-io" on Node.js, the parameter "requestCert = true" is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. "fs2-io" running on Node.js. The JVM TLS implementation is completely independent. 2. "TLSSocket"s in server-mode. Client-mode "TLSSocket"s are implemented via a different API. 3. mTLS as enabled via "requestCert = true" in "TLSParameters". The default setting is "false" for server-mode "TLSSocket"s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
Affected Packages
co.fs2:fs2-io_sjs1_3 (JAVA):
Affected version(s) >=3.1.0 <3.2.11
Fix Suggestion:
Update to version 3.2.11
co.fs2:fs2-io_3 (JAVA):
Affected version(s) >=3.1.0 <3.2.11
Fix Suggestion:
Update to version 3.2.11
co.fs2:fs2-io_2.12 (JAVA):
Affected version(s) >=3.1.0 <3.2.11
Fix Suggestion:
Update to version 3.2.11
co.fs2:fs2-io_2.13 (JAVA):
Affected version(s) >=3.1.0 <3.2.11
Fix Suggestion:
Update to version 3.2.11
co.fs2:fs2-io_sjs1_2.13 (JAVA):
Affected version(s) >=3.1.0 <3.2.11
Fix Suggestion:
Update to version 3.2.11
Related ResourcesĀ (8)
https://github.com/nodejs/node/issues/43994
https://nvd.nist.gov/vuln/detail/CVE-2022-31183
https://github.com/typelevel/fs2/releases/tag/v3.2.11
https://github.com/typelevel/fs2
https://github.com/typelevel/fs2/commit/19ce392e8093d9571387dbd78e159e655a85aeea
https://github.com/typelevel/fs2/security/advisories/GHSA-2cpx-6pqp-wf35
https://github.com/typelevel/fs2/commit/659824395826a314e0a4331535dbf1ef8bef8207
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31183.json
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Certificate Validation
CWE-295
EPSS
Base Score:
0.21