Incorrect default permissions in log4js-node

#VU61582 Incorrect default permissions in log4js-node

Published: 2022-03-24

Vulnerability identifier: #VU61582

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21704

CWE-ID: CWE-276

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
log4js-node
Web applications / Modules and components for CMS

Vendor: log4js-node

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for log files created by the file, fileSync and dateFile appenders. A local user with access to the system can view contents of files and gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

log4js-node: 0.5.0 - 6.3.0

External links
http://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
http://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
http://github.com/log4js-node/streamroller/pull/87
http://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Cloudera Data Platform Private Cloud Base for IBM

Insecure default permissions in log4js-node