Main Vulnerability Database Vulnerabilities #VU65280

#VU65280 Security features bypass in Node.js - CVE-2022-32222

Published: July 13, 2022 / Updated: October 4, 2022

Vulnerability identifier: #VU65280

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-32222

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Node.js

Software vendor:
Node.js Foundation

Description

The vulnerability allows a remote attacker to bypass security restrictions

The vulnerability exists due to Node.js after start on linux based systems attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. A remote unauthenticated attacker can attemp to read openssl.cnf from /home/iojs/build/ upon startup to create this file and affect the default OpenSSL configuration for other users.

Remediation

Install updates from vendor's website.

External links

https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/

#VU65280 Security features bypass in Node.js - CVE-2022-32222

Description

Remediation

External links

Please verify you're human