Veracode Vulnerability DatabaseVERACODE:33801Information Disclosure
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
log4js is vulnerable to information disclosure. Log files with sensitive user details are vulnerable when users have not supplied their own permissions for the said files via the mode parameter in the config allowing attackers to gain access to the sensitive information from log files.
References
github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
github.com/log4js-node/log4js-node/commit/8042252861a1b65adb66931fdf702ead34fa9b76
github.com/log4js-node/log4js-node/pull/1141
github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
github.com/log4js-node/streamroller/pull/87
lists.debian.org/debian-lts-announce/2022/12/msg00014.html
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N