How severe is CVE-2022-31183?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-31183?

This is classified as CWE-295, which is a common weakness in software security.

CVE-2022-31183 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

Related Vulnerabilities

CVE-2010-1378

CRITICAL

CVSS:9.8(Critical)

OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform arithmetic, which allows remote attackers to bypass X.509 certificate authentication via an arbitrary certificate issued by a l...

CWE-2952010

CVE-2010-4533

CRITICAL

CVSS:9.8(Critical)

offlineimap before 6.3.4 added support for SSL server certificate validation but it is still possible to use SSL v2 protocol, which is a flawed protocol with multiple security deficiencies.

CWE-2952010

CVE-2015-2320

CRITICAL

CVSS:9.8(Critical)

The TLS stack in Mono before 3.12.1 allows remote attackers to have unspecified impact via vectors related to client-side SSLv2 fallback.

CWE-2952015

CVE-2015-3886

CRITICAL

CVSS:9.8(Critical)

libinfinity before 0.6.6-1 does not validate expired SSL certificates, which allows remote attackers to have unspecified impact via unknown vectors.

CWE-2952015

CVE-2015-7826

CRITICAL

CVSS:9.8(Critical)

botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers to have unspecified impact via a valid X.509 certificate, as demonstrated by acce...

CWE-2952015

CVE-2016-1000030

CRITICAL

CVSS:9.8(Critical)

Pidgin version <2.11.0 contains a vulnerability in X.509 Certificates imports specifically due to improper check of return values from gnutls_x509_crt_init() and gnutls_x509_crt_import() that can resu...

CWE-2952016