CVE-2022-37621
Incorrect Validation vulnerability in browserify-shim (npm)
What is CVE-2022-37621 About?
This is an Incorrect Validation vulnerability where HashiCorp Vault fails to properly validate OCSP responses. This flaw could allow an attacker to bypass certificate revocation checks, potentially leading to unauthorized access or man-in-the-middle attacks. Exploitation is moderately difficult, requiring the ability to manipulate or intercept OCSP responses.
Affected Software
Technical Details
The vulnerability stems from 'Incorrect Validation' of OCSP (Online Certificate Status Protocol) responses within HashiCorp Vault. OCSP is used to determine the revocation status of X.509 digital certificates. When Vault performs certificate validation, it relies on OCSP responses to ensure that a certificate has not been revoked. The flaw indicates that Vault's logic for processing or verifying these responses is inadequate. An attacker could exploit this by either providing a maliciously crafted OCSP response (e.g., indicating a revoked certificate is still valid) or by manipulating network traffic to intercept and alter legitimate OCSP responses. Due to this incorrect validation, Vault might accept a revoked certificate as valid, enabling scenarios like unauthorized access, impersonation, or man-in-the-middle attacks. The attack vector involves influencing the OCSP response that Vault receives during its certificate validation process, which occurs during TLS handshakes or other certificate-centric operations.
What is the Impact of CVE-2022-37621?
Successful exploitation may allow attackers to bypass certificate revocation checks, impersonate legitimate entities, perform man-in-the-middle attacks, or gain unauthorized access to systems and data by tricking Vault into accepting revoked or invalid certificates.
What is the Exploitability of CVE-2022-37621?
Exploitation requires control over the OCSP response that HashiCorp Vault receives during certificate validation. This could involve intercepting and modifying network traffic, or acting as a malicious OCSP responder. The complexity level is moderate to high, as it requires network manipulation or specific infrastructure setup. No direct authentication to Vault is usually required to influence OCSP responses, but influencing the trust chain. It is a remote vulnerability, affecting communications where Vault performs OCSP checks. Special conditions involve the presence of a revocation infrastructure and scenarios where an attacker can interject into the communication path for OCSP queries or responses. Risk factors include unsecure network environments or compromised OCSP responders.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37621?
Available Upgrade Options
- browserify-shim
- <3.8.16 → Upgrade to 3.8.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L37
- https://github.com/thlorenz/browserify-shim/issues/247
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://nvd.nist.gov/vuln/detail/CVE-2022-37621
- https://github.com/thlorenz/browserify-shim
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
- https://osv.dev/vulnerability/GHSA-r737-347m-wqc7
- https://github.com/thlorenz/browserify-shim/pull/246
- https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L37
- https://github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338
What are Similar Vulnerabilities to CVE-2022-37621?
Similar Vulnerabilities: CVE-2025-6037 , CVE-2023-28491 , CVE-2021-43527 , CVE-2020-19515 , CVE-2020-14361
