5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.9%
log4js-node is a port of log4js to node.js. In affected versions default
file permissions for log files created by the file, fileSync and dateFile
appenders are world-readable (in unix). This could cause problems if log
files contain sensitive information. This would affect any users that have
not supplied their own permissions for the files via the mode parameter in
the config. Users are advised to update.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | node-log4js | < any | UNKNOWN |
ubuntu | 20.04 | noarch | node-log4js | < any | UNKNOWN |
ubuntu | 16.04 | noarch | node-log4js | < any | UNKNOWN |
github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
github.com/log4js-node/log4js-node/pull/1141 (v6.4.1)
github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
github.com/log4js-node/streamroller/pull/87
launchpad.net/bugs/cve/CVE-2022-21704
nvd.nist.gov/vuln/detail/CVE-2022-21704
security-tracker.debian.org/tracker/CVE-2022-21704
www.cve.org/CVERecord?id=CVE-2022-21704
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
15.9%