Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mTLS client verification is skipped in fs2 on Node.js
Vulnerability Description
fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
Node.js 信任管理问题漏洞
Vulnerability Description
Node.js是一个开源、跨平台的 JavaScript 运行时环境。 Node.js上的fs2 存在信任管理问题漏洞,该漏洞源于在 Node.js 上使用 fs2-io 建立服务器模式TLSSocket 时,会忽略参数 requestCert = true,跳过对等证书验证,并继续连接,以下产品和版本受到影响:co.fs2:fs2-io_sjs1_2.12 3.2.11之前版本、co.fs2:fs2-io_sjs1_2.13 3.2.11之前版本、co.fs2:fs2-io_sjs1_3 3.2.11之
CVSS Information
N/A
Vulnerability Type
N/A