Vulnerability-Lookup

CVE-2022-31142 (GCVE-0-2022-31142)

Vulnerability from cvelistv5 – Published: 2022-07-14 18:55 – Updated: 2025-04-23 18:02

Title

Potential Timing Attack Vector in @fastify/bearer-auth

Summary

@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-208 - Observable Timing Discrepancy

Assigner

GitHub_M

References

URL

Tags

	https://github.com/fastify/fastify-bearer-auth/se…	x_refsource_CONFIRM
	https://github.com/fastify/fastify-bearer-auth/co…	x_refsource_MISC
	https://github.com/fastify/fastify-bearer-auth/co…	x_refsource_MISC
	https://github.com/fastify/fastify-bearer-auth/co…	x_refsource_MISC
	https://hackerone.com/reports/1633287	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	fastify	fastify-bearer-auth	Affected: >= 5.0.1, < 7.0.2 Affected: = 8.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1633287"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:53:32.961418Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:02:16.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fastify-bearer-auth",
          "vendor": "fastify",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.1, \u003c 7.0.2"
            },
            {
              "status": "affected",
              "version": "= 8.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-14T18:55:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1633287"
        }
      ],
      "source": {
        "advisory": "GHSA-376v-xgjx-7mfr",
        "discovery": "UNKNOWN"
      },
      "title": "Potential Timing Attack Vector in @fastify/bearer-auth",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31142",
          "STATE": "PUBLIC",
          "TITLE": "Potential Timing Attack Vector in @fastify/bearer-auth"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "fastify-bearer-auth",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.0.1, \u003c 7.0.2"
                          },
                          {
                            "version_value": "= 8.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "fastify"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-208: Observable Timing Discrepancy"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
              "refsource": "CONFIRM",
              "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4",
              "refsource": "MISC",
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
              "refsource": "MISC",
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
              "refsource": "MISC",
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
            },
            {
              "name": "https://hackerone.com/reports/1633287",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1633287"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-376v-xgjx-7mfr",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31142",
    "datePublished": "2022-07-14T18:55:11.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:02:16.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://hackerone.com/reports/1633287\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:39.576Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31142\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:53:32.961418Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:53:34.353Z\"}}], \"cna\": {\"title\": \"Potential Timing Attack Vector in @fastify/bearer-auth\", \"source\": {\"advisory\": \"GHSA-376v-xgjx-7mfr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"fastify\", \"product\": \"fastify-bearer-auth\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.1, \u003c 7.0.2\"}, {\"status\": \"affected\", \"version\": \"= 8.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://hackerone.com/reports/1633287\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-07-14T18:55:11.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-376v-xgjx-7mfr\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 5.0.1, \u003c 7.0.2\"}, {\"version_value\": \"= 8.0.0\"}]}, \"product_name\": \"fastify-bearer-auth\"}]}, \"vendor_name\": \"fastify\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr\", \"name\": \"https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4\", \"name\": \"https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716\", \"name\": \"https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f\", \"name\": \"https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f\", \"refsource\": \"MISC\"}, {\"url\": \"https://hackerone.com/reports/1633287\", \"name\": \"https://hackerone.com/reports/1633287\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-208: Observable Timing Discrepancy\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31142\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Potential Timing Attack Vector in @fastify/bearer-auth\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31142\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T18:02:16.307Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-07-14T18:55:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-31142

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-31142

Aliases

CVE-2022-31142

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31142",
    "description": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.",
    "id": "GSD-2022-31142"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31142"
      ],
      "details": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.",
      "id": "GSD-2022-31142",
      "modified": "2023-12-13T01:19:17.486770Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31142",
        "STATE": "PUBLIC",
        "TITLE": "Potential Timing Attack Vector in @fastify/bearer-auth"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "fastify-bearer-auth",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 5.0.1, \u003c 7.0.2"
                        },
                        {
                          "version_value": "= 8.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "fastify"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-208: Observable Timing Discrepancy"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
            "refsource": "CONFIRM",
            "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
          },
          {
            "name": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4",
            "refsource": "MISC",
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
          },
          {
            "name": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
            "refsource": "MISC",
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
          },
          {
            "name": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
            "refsource": "MISC",
            "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
          },
          {
            "name": "https://hackerone.com/reports/1633287",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1633287"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-376v-xgjx-7mfr",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c7.0.2||=8.0.0",
          "affected_versions": "All versions before 7.0.2, version 8.0.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-203",
            "CWE-937"
          ],
          "date": "2022-07-21",
          "description": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use `crypto.timingSafeEqual`. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.",
          "fixed_versions": [
            "7.0.2",
            "8.0.1"
          ],
          "identifier": "CVE-2022-31142",
          "identifiers": [
            "GHSA-376v-xgjx-7mfr",
            "CVE-2022-31142"
          ],
          "not_impacted": "All versions starting from 7.0.2 before 8.0.0, all versions after 8.0.0",
          "package_slug": "npm/@fastify/bearer-auth",
          "pubdate": "2022-07-15",
          "solution": "Upgrade to versions 7.0.2, 8.0.1 or above.",
          "title": "Observable Discrepancy",
          "urls": [
            "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31142",
            "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4",
            "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
            "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
            "https://hackerone.com/reports/1633287",
            "https://github.com/advisories/GHSA-376v-xgjx-7mfr"
          ],
          "uuid": "b4f1dd08-4a9a-470c-b49d-b59bbdffddcc"
        },
        {
          "affected_range": "\u003c7.0.2||\u003e=8.0.0 \u003c8.0.1",
          "affected_versions": "All versions before 7.0.2, all versions starting from 8.0.0 before 8.0.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-203",
            "CWE-937"
          ],
          "date": "2022-07-20",
          "description": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.",
          "fixed_versions": [
            "7.0.2",
            "8.0.1"
          ],
          "identifier": "CVE-2022-31142",
          "identifiers": [
            "CVE-2022-31142",
            "GHSA-376v-xgjx-7mfr"
          ],
          "not_impacted": "All versions starting from 7.0.2 before 8.0.0, all versions starting from 8.0.1",
          "package_slug": "npm/bearer-auth",
          "pubdate": "2022-07-14",
          "solution": "Upgrade to versions 7.0.2, 8.0.1 or above.",
          "title": "Observable Discrepancy",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31142",
            "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
            "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
            "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
            "https://hackerone.com/reports/1633287",
            "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
          ],
          "uuid": "f70b692f-59c7-4496-b5ef-979229d84be1"
        },
        {
          "affected_range": "\u003e=5.0.1 \u003c7.0.2",
          "affected_versions": "All versions starting from 5.0.1 up to 7.0.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-203",
            "CWE-937"
          ],
          "date": "2022-07-21",
          "description": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use `crypto.timingSafeEqual`. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth.",
          "fixed_versions": [
            "7.0.2"
          ],
          "identifier": "CVE-2022-31142",
          "identifiers": [
            "GHSA-376v-xgjx-7mfr",
            "CVE-2022-31142"
          ],
          "not_impacted": "All versions starting from 7.0.2",
          "package_slug": "npm/fastify-bearer-auth",
          "pubdate": "2022-07-15",
          "solution": "Upgrade to version 7.0.2 or above.",
          "title": "Observable Discrepancy",
          "urls": [
            "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31142",
            "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4",
            "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
            "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
            "https://hackerone.com/reports/1633287",
            "https://github.com/advisories/GHSA-376v-xgjx-7mfr"
          ],
          "uuid": "b7b433b9-b7a4-43db-93d4-15d313118758"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:fastify:bearer-auth:8.0.0:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:fastify:bearer-auth:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.0.2",
                "versionStartIncluding": "5.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31142"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-203"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
            },
            {
              "name": "https://hackerone.com/reports/1633287",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/1633287"
            },
            {
              "name": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-07-20T12:45Z",
      "publishedDate": "2022-07-14T19:15Z"
    }
  }
}

GHSA-376V-XGJX-7MFR

Vulnerability from github – Published: 2022-07-15 19:14 – Updated: 2022-07-21 15:57

Summary

fastify-bearer-auth vulnerable to Timing Attack Vector

Details

Impact

fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.

All versions of fastify-bearer-auth are also affected.

Patches

We released:

v8.0.1 with a fix for the Fastify v4 line
v7.0.2 with a fix for the Fastify v3 line

Workarounds

There are no workarounds. Update your dependencies.

References

https://hackerone.com/reports/1633287

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/fastify/fastify-bearer-auth * Email us at hello@matteocollina.com

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fastify-bearer-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.1"
            },
            {
              "last_affected": "6.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/bearer-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@fastify/bearer-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "8.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T19:14:27Z",
    "nvd_published_at": "2022-07-14T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nfastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack.\n\nAll versions of fastify-bearer-auth are also affected.\n\n### Patches\n\nWe released:\n\n* v8.0.1 with a fix for the Fastify v4 line\n* v7.0.2 with a fix for the Fastify v3 line\n\n### Workarounds\n\nThere are no workarounds. Update your dependencies.\n\n### References\n\nhttps://hackerone.com/reports/1633287\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/fastify/fastify-bearer-auth](https://github.com/fastify/fastify-bearer-auth)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
  "id": "GHSA-376v-xgjx-7mfr",
  "modified": "2022-07-21T15:57:26Z",
  "published": "2022-07-15T19:14:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1633287"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify-bearer-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fastify-bearer-auth vulnerable to Timing Attack Vector"
}

FKIE_CVE-2022-31142

Vulnerability from fkie_nvd - Published: 2022-07-14 19:15 - Updated: 2024-11-21 07:03

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr	Third Party Advisory
security-advisories@github.com	https://hackerone.com/reports/1633287	Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/1633287	Permissions Required, Third Party Advisory

Impacted products

	Vendor	Product	Version
	fastify	bearer-auth	*
	fastify	bearer-auth	8.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fastify:bearer-auth:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F4E6279F-FB08-4B50-8A0E-8A751098175F",
              "versionEndExcluding": "7.0.2",
              "versionStartIncluding": "5.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fastify:bearer-auth:8.0.0:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "BF0046AC-5EB0-4A58-B08F-3B8F3F7DA4C1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@fastify/bearer-auth is a Fastify plugin to require bearer Authorization headers. @fastify/bearer-auth prior to versions 7.0.2 and 8.0.1 does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the range of characters for a brute force attack. Version 7.0.2 and 8.0.1 of @fastify/bearer-auth contain a patch. There are currently no known workarounds. The package fastify-bearer-auth, which covers versions 6.0.3 and prior, is also vulnerable starting at version 5.0.1. Users of fastify-bearer-auth should upgrade to a patched version of @fastify/bearer-auth."
    },
    {
      "lang": "es",
      "value": "fastify/bearer-auth es un plugin de Fastify para requerir encabezados de autorizaci\u00f3n de portador. fastify/bearer-auth versiones anteriores a 7.0.2 y 8.0.1, no usa de forma segura crypto.timingSafeEqual. Un atacante malicioso podr\u00eda estimar la longitud de un token de portador v\u00e1lido. Seg\u00fan el correspondiente RFC 6750, el token de portador s\u00f3lo presenta caracteres v\u00e1lidos en base64, reduciendo el rango de caracteres para un ataque de fuerza bruta. Las versiones 7.0.2 y 8.0.1 de fastify/bearer-auth contienen un parche. Actualmente no se presentan mitigaciones conocidas. El paquete fastify-bearer-auth, que cubre las versiones 6.0.3 y anteriores, tambi\u00e9n es vulnerable a partir de la versi\u00f3n 5.0.1. Los usuarios de fastify-bearer-auth deber\u00edan actualizar a una versi\u00f3n parcheada de fastify/bearer-auth"
    }
  ],
  "id": "CVE-2022-31142",
  "lastModified": "2024-11-21T07:03:59.073",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-07-14T19:15:07.787",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1633287"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/0c468a616d7e56126dc468150f6a5a92e530b8e4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/39353b15409ee99474545f615ffb16180cf3b716"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/commit/f921a0582dc83112039004a9b5041141b50c5b3f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/fastify/fastify-bearer-auth/security/advisories/GHSA-376v-xgjx-7mfr"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1633287"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-208"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31142 (GCVE-0-2022-31142)

GSD-2022-31142

GHSA-376V-XGJX-7MFR

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2022-31142

Tags

Sightings

Nomenclature