CVE-2022-32212

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1632921
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
History

23 Feb 2023, 20:15

Type Values Removed Values Added
References
  • {'url': 'https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf', 'name': 'https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20220915-0001/', 'name': 'https://security.netapp.com/advisory/ntap-20220915-0001/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/', 'name': 'FEDORA-2022-1667f7b60a', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884', 'name': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884', 'tags': ['Third Party Advisory', 'VDB Entry'], 'refsource': 'MISC'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html', 'name': '[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://www.debian.org/security/2023/dsa-5326', 'name': 'DSA-5326', 'tags': ['Third Party Advisory'], 'refsource': 'DEBIAN'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/', 'name': 'FEDORA-2022-52dec6351a', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160', 'name': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160', 'tags': ['Third Party Advisory', 'VDB Entry'], 'refsource': 'MISC'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/', 'name': 'FEDORA-2022-de515f765f', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/', 'name': 'https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • (MISC) https://hackerone.com/reports/1632921 -
Summary A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

09 Feb 2023, 01:46

Type Values Removed Values Added
First Time Siemens sinec Ins
Fedoraproject
Fedoraproject fedora
Siemens
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2023/dsa-5326 - (DEBIAN) https://www.debian.org/security/2023/dsa-5326 - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/ - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/ - Mailing List, Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/ - Mailing List, Third Party Advisory
CPE cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*

26 Jan 2023, 21:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2023/dsa-5326 -

10 Jan 2023, 13:15

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf -

29 Nov 2022, 04:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/ -

07 Oct 2022, 16:38

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
First Time Debian debian Linux
Debian
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - Mailing List, Third Party Advisory

06 Oct 2022, 20:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html -

15 Sep 2022, 18:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ -

23 Aug 2022, 12:15

Type Values Removed Values Added
Summary A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

01 Aug 2022, 12:55

Type Values Removed Values Added
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

21 Jul 2022, 14:52

Type Values Removed Values Added
First Time Nodejs
Nodejs node.js
CWE CWE-78
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
References (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160 - (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160 - Third Party Advisory, VDB Entry
References (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884 - (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884 - Third Party Advisory, VDB Entry
References (MISC) https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ - Patch, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1

14 Jul 2022, 15:19

Type Values Removed Values Added
New CVE
Information

Published : 2022-07-14 15:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-32212

Mitre link : CVE-2022-32212

CVE.ORG link : CVE-2022-32212

JSON object : View

Products Affected

fedoraproject

  • fedora

debian

  • debian_linux

siemens

  • sinec_ins

nodejs

  • node.js
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-284

Improper Access Control