GHSA-2cpx-6pqp-wf35

Suggest an improvement
Source
https://github.com/advisories/GHSA-2cpx-6pqp-wf35
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-2cpx-6pqp-wf35/GHSA-2cpx-6pqp-wf35.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2cpx-6pqp-wf35
Aliases
Published
2022-07-29T22:24:10Z
Modified
2023-11-01T04:59:00.795159Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
fs2-io skips mTLS client verification
Details

Impact

When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.

The vulnerability is limited to: 1. fs2-io running on Node.js. The JVM TLS implementation is completely independent. 2. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API. 3. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets.

It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.

Patches

A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised.

Workarounds

If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

References

  • https://github.com/nodejs/node/issues/43994
  • https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

For more information

If you have any questions or comments about this advisory: * Open an issue. * Contact the Typelevel Security Team.

Database specific
{
    "nvd_published_at": "2022-08-01T20:15:00Z",
    "github_reviewed_at": "2022-07-29T22:24:10Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-295"
    ]
}
References

Affected packages

Maven / co.fs2:fs2-io

Package

Name
co.fs2:fs2-io
View open source insights on deps.dev
Purl
pkg:maven/co.fs2/fs2-io

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1.0
Fixed
3.2.11