Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.
Fixed by:
Released to NPM in [email protected]
Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.
Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.
If you have any questions or comments about this advisory:
github.com/log4js-node/log4js-node
github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
github.com/log4js-node/streamroller/pull/87
lists.debian.org/debian-lts-announce/2022/12/msg00014.html
nvd.nist.gov/vuln/detail/CVE-2022-21704