CVE-2022-21824 — HIGH (8.2)

Q: How severe is CVE-2022-21824?

CVE-2022-21824 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-21824?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Mysql Cluster, Oracle Mysql Connectors, Oracle Mysql Enterprise Monitor, Oracle Mysql Server.

Vulnerability Description

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nodejs	Node.Js	>= 12.0.0, < 12.22.9
Oracle	Mysql Cluster	<= 8.0.29
Oracle	Mysql Connectors	<= 8.0.28
Oracle	Mysql Enterprise Monitor	<= 8.0.29
Oracle	Mysql Server	<= 8.0.29
Oracle	Mysql Workbench	<= 8.0.28
Oracle	Peoplesoft Enterprise Peopletools	8.58
Debian	Debian Linux	10.0
Netapp	Oncommand Insight	-
Netapp	Oncommand Workflow Automation	-
Netapp	Snapcenter	-

Related Weaknesses (CWE)

CWE-471 CWE-1321

References

https://hackerone.com/reports/1431042Issue TrackingMitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlMailing ListThird Party Advisory
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/Release NotesVendor Advisory
https://security.netapp.com/advisory/ntap-20220325-0007/Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0004/Third Party Advisory
https://www.debian.org/security/2022/dsa-5170Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
https://hackerone.com/reports/1431042Issue TrackingMitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00006.htmlMailing ListThird Party Advisory
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/Release NotesVendor Advisory
https://security.netapp.com/advisory/ntap-20220325-0007/Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0004/Third Party Advisory
https://www.debian.org/security/2022/dsa-5170Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2022-21824?

CVE-2022-21824 is a vulnerability with a CVSS score of 8.2 (HIGH). Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with...

How severe is CVE-2022-21824?

CVE-2022-21824 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-21824?

Check the references section above for vendor advisories and patch information. Affected products include: Nodejs Node.Js, Oracle Mysql Cluster, Oracle Mysql Connectors, Oracle Mysql Enterprise Monitor, Oracle Mysql Server.