A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
References
Link | Resource |
---|---|
https://hackerone.com/reports/1632921 |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
23 Feb 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. |
09 Feb 2023, 01:46
Type | Values Removed | Values Added |
---|---|---|
First Time |
Siemens sinec Ins
Fedoraproject Fedoraproject fedora Siemens |
|
References | (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf - Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2023/dsa-5326 - Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* |
26 Jan 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Jan 2023, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Nov 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Oct 2022, 16:38
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | |
First Time |
Debian debian Linux
Debian |
|
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - Mailing List, Third Party Advisory |
06 Oct 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
15 Sep 2022, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
23 Aug 2022, 12:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. |
01 Aug 2022, 12:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* |
21 Jul 2022, 14:52
Type | Values Removed | Values Added |
---|---|---|
First Time |
Nodejs
Nodejs node.js |
|
CWE | CWE-78 | |
CPE | cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* | |
References | (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160 - Third Party Advisory, VDB Entry | |
References | (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884 - Third Party Advisory, VDB Entry | |
References | (MISC) https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
14 Jul 2022, 15:19
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-07-14 15:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-32212
Mitre link : CVE-2022-32212
CVE.ORG link : CVE-2022-32212
JSON object : View
Products Affected
fedoraproject
- fedora
debian
- debian_linux
siemens
- sinec_ins
nodejs
- node.js