CVE-2022-21704: Incorrect Default Permissions in log4js-node
First published: Wed Jan 19 2022(Updated: )
### Impact Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. ### Patches Fixed by: * https://github.com/log4js-node/log4js-node/pull/1141 * https://github.com/log4js-node/streamroller/pull/87 Released to NPM in log4js@6.4.0 ### Workarounds Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details. ### References Thanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem. ### For more information If you have any questions or comments about this advisory: * Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node) * Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI) * Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Log4js Project Log4js | <6.4.0 | |
| Debian Debian Linux | =10.0 | |
| IBM Security Verify Governance | <=10.0 | |
| npm/log4js | <6.4.0 | 6.4.0 |
| <6.4.0 | ||
| =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://github.com/log4js-node/streamroller/pull/87
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/217832
- https://www.ibm.com/support/pages/node/7057377 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2022-21704
- https://github.com/advisories/GHSA-82v2-mx6x-wq7q (Advisory)
Frequently Asked Questions
What is the vulnerability ID for log4js-node?
The vulnerability ID for log4js-node is CVE-2022-21704.
What is the severity of CVE-2022-21704?
CVE-2022-21704 has a severity level of 5.5 (medium).
How does log4js-node allow an attacker to obtain sensitive information?
log4js-node allows an attacker to obtain sensitive information by having default file permissions for log files that are world-readable.
Which versions of log4js-node are affected by CVE-2022-21704?
Versions up to (but not including) 6.4.0 of log4js-node are affected by CVE-2022-21704.
Is there a fix available for CVE-2022-21704?
Yes, a fix is available for CVE-2022-21704 and can be found in the log4js-node GitHub repository.
- collector/nvd-index
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-82v2-mx6x-wq7q
- alias/CVE-2022-21704
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/remedy
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/first-publish-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- vendor/log4js project
- canonical/log4js project log4js
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/npm
- vendor/ibm
- canonical/ibm security verify governance
- version/ibm security verify governance/10.0