First published: Fri Jul 08 2022(Updated: )
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/nodejs | <14.20.0 | 14.20.0 |
redhat/nodejs | <16.20.0 | 16.20.0 |
redhat/nodejs | <18.5.0 | 18.5.0 |
redhat/nodejs | <1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 |
redhat/rh-nodejs14-nodejs | <0:14.20.0-2.el7 | 0:14.20.0-2.el7 |
Nodejs Node.js | >=14.0.0<=14.14.0 | |
Nodejs Node.js | >=14.15.0<14.20.1 | |
Nodejs Node.js | >=16.0.0<=16.12.0 | |
Nodejs Node.js | >=16.13.0<16.17.1 | |
Nodejs Node.js | >=18.0.0<18.5.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
Fedoraproject Fedora | =37 | |
Siemens Sinec Ins | <1.0 | |
Siemens Sinec Ins | =1.0 | |
Siemens Sinec Ins | =1.0-sp1 | |
debian/nodejs | <=10.24.0~dfsg-1~deb10u1 | 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-32212 is an OS Command Injection vulnerability in Node.js versions <14.20.0 <16.20.0 <18.5.0.
CVE-2022-32212 has a severity rating of 8.1 (High).
Node.js versions <14.20.0, <16.20.0, and <18.5.0 are affected by CVE-2022-32212.
To fix CVE-2022-32212, update your Node.js installation to version 14.20.0 or later.
You can find more information about CVE-2022-32212 on the Red Hat Security Advisory and Node.js official website.