CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
95.5%
The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is “Low”
Our assessment of the security advisory is:
c_rehash
script allows command injection (CVE-2022-1292)Node.js doesn’t use or ship the c_rehash
script. Therefore, Node.js is not affected
OCSP_basic_verify
may incorrectly verify the response signing certificate (CVE-2022-1343)Node.js doesn’t call OCSP_basic_verify
with the custom flag OCSP_NOCHECKS
. Node.js is not affected.
Node.js does not compile with --enable-weak-ssl-ciphers
, therefore, Node.js is not affected.
Node.js 17.x and 18.x are affected by this CVE which is rated “Low”.
Given this assessment, the OpenSSL updates for Node.js will be delievered through the regular Node.js release cycle with releases scheduled by the end of May.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
95.5%