CVE-2022-21704

2022-01-1923:15:08

Debian Security Bug Tracker

security-tracker.debian.org

log4js-node

world-readable

log files

permissions

update

unix

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.3%

JSON

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

OSVersionArchitecturePackageVersionFilename
Debian12allnode-log4js< 6.4.1+~cs8.3.5-1node-log4js_6.4.1+~cs8.3.5-1_all.deb
Debian11allnode-log4js< 6.3.0+~cs8.3.10-1+deb11u1node-log4js_6.3.0+~cs8.3.10-1+deb11u1_all.deb
Debian999allnode-log4js< 6.4.1+~cs8.3.5-1node-log4js_6.4.1+~cs8.3.5-1_all.deb
Debian13allnode-log4js< 6.4.1+~cs8.3.5-1node-log4js_6.4.1+~cs8.3.5-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	node-log4js	< 6.4.1+~cs8.3.5-1	node-log4js_6.4.1+~cs8.3.5-1_all.deb
Debian	11	all	node-log4js	< 6.3.0+~cs8.3.10-1+deb11u1	node-log4js_6.3.0+~cs8.3.10-1+deb11u1_all.deb
Debian	999	all	node-log4js	< 6.4.1+~cs8.3.5-1	node-log4js_6.4.1+~cs8.3.5-1_all.deb
Debian	13	all	node-log4js	< 6.4.1+~cs8.3.5-1	node-log4js_6.4.1+~cs8.3.5-1_all.deb