CVE-2022-32212

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-32212
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1632921
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
History

23 Feb 2023, 20:15

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
References
  • {'url': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160', 'name': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160', 'tags': ['Third Party Advisory', 'VDB Entry'], 'refsource': 'MISC'}
  • {'url': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884', 'name': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884', 'tags': ['Third Party Advisory', 'VDB Entry'], 'refsource': 'MISC'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/', 'name': 'FEDORA-2022-de515f765f', 'tags': [], 'refsource': 'FEDORA'}
  • {'url': 'https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/', 'name': 'https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/', 'name': 'FEDORA-2022-1667f7b60a', 'tags': [], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/', 'name': 'FEDORA-2022-52dec6351a', 'tags': [], 'refsource': 'FEDORA'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20220915-0001/', 'name': 'https://security.netapp.com/advisory/ntap-20220915-0001/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html', 'name': '[debian-lts-announce] 20221005 [SECURITY] [DLA 3137-1] nodejs security update', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'}
  • (MISC) https://hackerone.com/reports/1632921 -
Summary A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

29 Nov 2022, 04:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMQK5L5SBYD47QQZ67LEMHNQ662GH3OY/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QCNN3YG2BCLS4ZEKJ3CLSUT6AS7AXTH3/ -
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ICG6CSIB3GUWH5DUSQEVX53MOJW7LYK/ -

07 Oct 2022, 16:38

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html - Mailing List, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ - Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

15 Sep 2022, 18:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220915-0001/ -

23 Aug 2022, 12:15

Type Values Removed Values Added
Summary A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

01 Aug 2022, 12:55

Type Values Removed Values Added
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

21 Jul 2022, 14:52

Type Values Removed Values Added
CWE CWE-78
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
References (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160 - (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7160 - Third Party Advisory, VDB Entry
References (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884 - (MISC) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22884 - Third Party Advisory, VDB Entry
References (MISC) https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ - (MISC) https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ - Patch, Vendor Advisory
CPE cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*

14 Jul 2022, 15:19

Type Values Removed Values Added
New CVE
Information

Published : 2022-07-14 15:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-32212

Mitre link : CVE-2022-32212

CVE.ORG link : CVE-2022-32212

JSON object : View

Products Affected

nodejs

  • node.js

debian

  • debian_linux

fedoraproject

  • fedora

siemens

  • sinec_ins
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-284

Improper Access Control