Vulnerability Description
CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mitre | Cve-Services | >= 1.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82ExploitThird Party Advisory
- https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-76ExploitThird Party Advisory
- https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82ExploitThird Party Advisory
- https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-76ExploitThird Party Advisory
FAQ
What is CVE-2022-31004?
CVE-2022-31004 is a vulnerability with a CVSS score of 7.5 (HIGH). CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method write...
How severe is CVE-2022-31004?
CVE-2022-31004 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31004?
Check the references section above for vendor advisories and patch information. Affected products include: Mitre Cve-Services.