CVE-2022-21704 — MEDIUM (5.5)

Q: How severe is CVE-2022-21704?

CVE-2022-21704 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-21704?

Check the references section above for vendor advisories and patch information. Affected products include: Log4Js Project Log4Js, Debian Debian Linux.

Vulnerability Description

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Log4Js Project	Log4Js	< 6.4.0
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-276

References

https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640Release NotesThird Party Advisory
https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb6PatchThird Party Advisory
https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wqPatchThird Party Advisory
https://github.com/log4js-node/streamroller/pull/87Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00014.htmlMailing ListThird Party Advisory
https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640Release NotesThird Party Advisory
https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb6PatchThird Party Advisory
https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wqPatchThird Party Advisory
https://github.com/log4js-node/streamroller/pull/87Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00014.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2022-21704?

CVE-2022-21704 is a vulnerability with a CVSS score of 5.5 (MEDIUM). log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could ca...

How severe is CVE-2022-21704?

CVE-2022-21704 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21704?

Check the references section above for vendor advisories and patch information. Affected products include: Log4Js Project Log4Js, Debian Debian Linux.