A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Affected configurations

NVD

Node

nodejsnode.jsRange14.0.0–14.14.0-

nodejsnode.jsRange14.15.0–14.20.1lts

nodejsnode.jsRange16.0.0–16.12.0-

nodejsnode.jsRange16.13.0–16.17.1lts

nodejsnode.jsRange18.0.0–18.5.0-

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

Node

siemenssinec_insRange<1.0

siemenssinec_insMatch1.0-

siemenssinec_insMatch1.0sp1

References

hackerone.com/reports/1632921

veracode 1

alpinelinux 2

prion 2

ubuntucve 2

cbl_mariner 2

osv 12

hackerone 3

ibm 20

cve 2

cvelist 2

debiancve 2

nessus 65

redhatcve 1

nvd 1

f5 1

openvas 26

mageia 2

suse 5

photon 2

altlinux 1

redhat 5

debian 2

oraclelinux 3

fedora 3

almalinux 2

rocky 3

ubuntu 1

nodejsblog 2

freebsd 1

ics 1

gentoo 1

oracle 3

veracode

OS Command Injection

2022-07-15 10:43:40

alpinelinux

CVE-2022-32212

2022-07-14 15:15:08

CVE-2022-43548

2022-12-05 22:15:10

prion

Command injection

2022-07-14 15:15:00

Command injection

2022-12-05 22:15:00

ubuntucve

CVE-2022-32212

2022-07-14 00:00:00

CVE-2022-43548

2022-12-05 00:00:00

cbl_mariner

CVE-2022-32212 affecting package nodejs for versions less than 16.20.2-4

2022-08-31 06:17:55

CVE-2022-32212 affecting package nodejs 14.18.3-1

2022-08-12 16:45:11

osv

CVE-2022-32212

2022-07-14 15:15:08

BIT-node-2022-32212

2024-03-06 11:04:18

CVE-2022-43548

2022-12-05 22:15:10

hackerone

Node.js: DNS rebinding in --inspect (again) via invalid IP addresses

2022-05-18 05:48:02

Node.js: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

2022-07-10 18:01:38

Internet Bug Bounty: DNS rebinding in --inspect (insufficient fix of CVE-2022-32212 affecting macOS devices)

2022-09-28 08:45:11

ibm

Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to arbitrary code execution due to CVE-2022-32212

2022-11-04 18:13:21

Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Pak for Watson AIOps Infrastructure Automation

2022-10-21 17:31:42

Security Bulletin: Multiple Vulnerabilities in node.js

2022-08-08 17:42:51

cve

CVE-2022-32212

2022-07-14 15:15:08

CVE-2022-43548

2022-12-05 22:15:10

cvelist

CVE-2022-32212

2022-07-14 00:00:00

CVE-2022-43548

2022-12-05 00:00:00

debiancve

CVE-2022-32212

2022-07-14 15:15:08

CVE-2022-43548

2022-12-05 22:15:10

nessus

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-43548)

2023-03-20 00:00:00

SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2022:3989-1)

2022-11-17 00:00:00

SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2022:4084-1)

2022-11-19 00:00:00

redhatcve

CVE-2022-32212

2022-07-08 18:43:57

nvd

CVE-2022-43548

2022-12-05 22:15:10

K000133494 : Node.js vulnerability CVE-2022-43548

2023-04-12 00:00:00

openvas

Mageia: Security Advisory (MGASA-2022-0354)

2022-10-03 00:00:00

SUSE: Security Advisory (SUSE-SU-2022:2416-1)

2022-07-18 00:00:00

SUSE: Security Advisory (SUSE-SU-2022:2425-1)

2022-07-19 00:00:00

mageia

Updated nodejs packages fix security vulnerability

2022-10-01 20:48:24

Updated nodejs packages fix security vulnerability

2022-08-26 00:21:07

suse

Security update for nodejs16 (important)

2022-07-26 00:00:00

Security update for nodejs14 (important)

2022-07-18 00:00:00

Security update for nodejs12 (important)

2022-07-18 00:00:00

photon

Critical Photon OS Security Update - PHSA-2022-0426

2022-07-26 00:00:00

Important Photon OS Security Update - PHSA-2022-3.0-0426

2022-07-26 00:00:00

altlinux

Security fix for the ALT Linux 10 package node version 16.17.1-alt1

2022-09-30 00:00:00

redhat

(RHSA-2022:6985) Moderate: nodejs:14 security and bug fix update

2022-10-18 07:45:13

(RHSA-2022:6448) Moderate: nodejs:14 security and bug fix update

2022-09-13 07:36:51

(RHSA-2022:6389) Moderate: rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon security and bug fix update

2022-09-08 07:08:33

debian

[SECURITY] [DLA 3137-1] nodejs security update

2022-10-05 15:18:22

[SECURITY] [DSA 5326-1] nodejs security update

2023-01-24 20:01:20

oraclelinux

nodejs:14 security and bug fix update

2022-09-15 00:00:00

nodejs:16 security and bug fix update

2022-09-15 00:00:00

nodejs and nodejs-nodemon security and bug fix update

2022-09-22 00:00:00

fedora

[SECURITY] Fedora 37 Update: nodejs-18.12.1-1.fc37

2022-11-29 01:13:36

[SECURITY] Fedora 36 Update: nodejs-16.18.1-1.fc36

2022-11-29 01:28:04

[SECURITY] Fedora 35 Update: nodejs-16.18.1-1.fc35

2022-11-29 00:57:02

almalinux

Moderate: nodejs:14 security and bug fix update

2022-09-13 00:00:00

Moderate: nodejs and nodejs-nodemon security and bug fix update

2022-09-20 00:00:00

rocky

nodejs:14 security and bug fix update

2022-09-13 07:36:51

nodejs:16 security and bug fix update

2022-09-13 07:36:52

nodejs and nodejs-nodemon security and bug fix update

2022-09-20 11:37:49

ubuntu

Node.js vulnerabilities

2023-11-21 00:00:00

nodejsblog

September 23rd 2022 Security Releases

2022-09-15 00:00:00

July 7th 2022 Security Releases

2022-07-07 00:00:00

freebsd

Node.js -- July 7th 2022 Security Releases

2022-07-05 00:00:00

ics

Siemens SINEC INS

2023-01-17 12:00:00

gentoo

Node.js: Multiple Vulnerabilities

2024-05-08 00:00:00

oracle

Oracle Critical Patch Update Advisory - October 2022

2022-10-18 00:00:00

Oracle Critical Patch Update Advisory - January 2023

2023-01-17 00:00:00

Oracle Critical Patch Update Advisory - April 2023

2023-04-18 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

44.1%

JSON

Related for NVD:CVE-2022-32212

veracode1 alpinelinux2 prion2 ubuntucve2 cbl_mariner2 osv12 hackerone3 ibm20 cve2 cvelist2 debiancve2 nessus65 redhatcve1 nvd1 f51 openvas26 mageia2 suse5 photon2 altlinux1 redhat5 debian2 oraclelinux3 fedora3 almalinux2 rocky3 ubuntu1 nodejsblog2 freebsd1 ics1 gentoo1 oracle3