← Back

CVE-2022-32212

nvd nist
Published: Jul 14, 2022Modified: Nov 21, 2024

JSON object

Loading...
8.1
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.2 / Impact: 5.9
Source: NVD

Description

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Affected (13)

Products: Nodejs: Node.js · Debian: Debian Linux · Fedoraproject: Fedora · +1 more
Show all products
Nodejs: Node.js · Debian: Debian Linux · Fedoraproject: Fedora · Siemens: Sinec Ins
Nodejs
1 product
Node.js
Debian
1 product
Debian Linux
Fedoraproject
1 product
Fedora
Siemens
1 product
Sinec Ins
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Nodejs
Node.js
From 14.0.0 to 14.14.0
Node.js
From 16.0.0 to 16.12.0
Node.js
From 18.0.0 to 18.5.0
Node.js
From 14.15.0 to 14.20.1
Node.js
From 16.13.0 to 16.17.1
Configuration B
5 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0
Fedoraproject
Fedora
Version 35
Fedora
Version 36
Fedora
Version 37
Configuration C
3 vulnerable
Vulnerable SoftwareAffected Versions
Siemens
Sinec Ins
Before 1.0
Sinec Ins
Version 1.0
Sinec Ins
Version 1.0 sp1

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

Source: support@hackerone.com
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.