CVE-2022-21704
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| log4js-node | log4js-node | < 6.4.0 | affected |
Weaknesses
- CWE-276: CWE-276: Incorrect Default Permissions
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/streamroller/pull/87
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/streamroller/pull/87
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.