GHSA-82V2-MX6X-WQ7Q

Vulnerability from github – Published: 2022-01-21 18:53 – Updated: 2022-10-03 19:49
VLAI
Summary
Incorrect Default Permissions in log4js
Details

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by: * https://github.com/log4js-node/log4js-node/pull/1141 * https://github.com/log4js-node/streamroller/pull/87

Released to NPM in log4js@6.4.0

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory: * Open an issue in logj4s-node * Ask a question in the slack channel * Email us at gareth.nomiddlename@gmail.com

Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "log4js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21704"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-19T22:47:14Z",
    "nvd_published_at": "2022-01-19T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\n\n### Patches\nFixed by:\n* https://github.com/log4js-node/log4js-node/pull/1141\n* https://github.com/log4js-node/streamroller/pull/87\n\nReleased to NPM in log4js@6.4.0\n\n### Workarounds\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\n\n### References\n\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\n",
  "id": "GHSA-82v2-mx6x-wq7q",
  "modified": "2022-10-03T19:49:13Z",
  "published": "2022-01-21T18:53:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21704"
    },
    {
      "type": "WEB",
      "url": "https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/log4js-node/streamroller/pull/87"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/log4js-node/log4js-node"
    },
    {
      "type": "WEB",
      "url": "https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Default Permissions in log4js"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.