CVE-2022-32212: OS Command Injection
First published: Fri Jul 08 2022(Updated: )
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <14.20.0 | 14.20.0 |
| redhat/nodejs | <16.20.0 | 16.20.0 |
| redhat/nodejs | <18.5.0 | 18.5.0 |
| redhat/nodejs | <1:16.16.0-1.el9_0 | 1:16.16.0-1.el9_0 |
| redhat/rh-nodejs14-nodejs | <0:14.20.0-2.el7 | 0:14.20.0-2.el7 |
| Nodejs Node.js | >=14.0.0<=14.14.0 | |
| Nodejs Node.js | >=14.15.0<14.20.1 | |
| Nodejs Node.js | >=16.0.0<=16.12.0 | |
| Nodejs Node.js | >=16.13.0<16.17.1 | |
| Nodejs Node.js | >=18.0.0<18.5.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| debian/nodejs | <=10.24.0~dfsg-1~deb10u1 | 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackerone.com/reports/1632921
- https://access.redhat.com/security/cve/CVE-2022-32212
- https://access.redhat.com/security/cve/CVE-2021-22884
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108518
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108521
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108522
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108519
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108523
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108524
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108520
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108525
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2108526
- https://github.com/nodejs/node/commit/48c5aa5cab
- https://github.com/nodejs/node/commit/754c9bfde0
- https://github.com/nodejs/node/commit/e4af5eba95
- https://access.redhat.com/errata/RHSA-2022:6389
- https://access.redhat.com/errata/RHSA-2022:6448
- https://access.redhat.com/errata/RHSA-2022:6449
- https://access.redhat.com/errata/RHSA-2022:6595
- https://access.redhat.com/errata/RHSA-2022:6985
- https://access.redhat.com/security/cve/cve-2022-32212
- https://bugzilla.redhat.com/show_bug.cgi?id=2105422
- https://www.cve.org/CVERecord?id=CVE-2022-32212 https://nvd.nist.gov/vuln/detail/CVE-2022-32212 https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212
- https://github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131
- https://github.com/nodejs/node/commit/a1121b456c54b16d980881f821cd700c6a4ca537
- https://github.com/nodejs/node/commit/1aa5036c31ac2a9b2a2528af454675ad412f1464
- https://github.com/nodejs/node/commit/b358fb27a4253c6827378a64163448c04301e19c
- https://security-tracker.debian.org/tracker/CVE-2022-32212
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-32212?
CVE-2022-32212 is an OS Command Injection vulnerability in Node.js versions <14.20.0 <16.20.0 <18.5.0.
How severe is CVE-2022-32212?
CVE-2022-32212 has a severity rating of 8.1 (High).
What software versions are affected by CVE-2022-32212?
Node.js versions <14.20.0, <16.20.0, and <18.5.0 are affected by CVE-2022-32212.
How can I fix CVE-2022-32212?
To fix CVE-2022-32212, update your Node.js installation to version 14.20.0 or later.
Where can I find more information about CVE-2022-32212?
You can find more information about CVE-2022-32212 on the Red Hat Security Advisory and Node.js official website.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-32212
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/14.0.0
- version/nodejs node.js/14.14.0
- version/nodejs node.js/14.15.0
- version/nodejs node.js/16.0.0
- version/nodejs node.js/16.12.0
- version/nodejs node.js/16.13.0
- version/nodejs node.js/18.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- package-manager/redhat
- package-manager/debian