CVE-2022-31142

 

Published at: - 14-07-2022 09:15

Last modified: - 20-07-2022 02:45

Total changes: - 3

Description

@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f
• https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716
• https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr
• https://hackerone.com/reports/1633287
• https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4

 

Keywords

NVD

 

CVE-2022-31142

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures