Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-32212

Опубликовано: 14 июл. 2022
Источник: debian

Описание

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
nodejsfixed18.6.0+dfsg-3package

Примечания

  • https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212

  • https://github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131 (v14.x)

  • https://github.com/nodejs/node/commit/a1121b456c54b16d980881f821cd700c6a4ca537 (14.20.1) (follow-up)

  • https://github.com/nodejs/node/commit/1aa5036c31ac2a9b2a2528af454675ad412f1464 (main)

  • https://github.com/nodejs/node/commit/b358fb27a4253c6827378a64163448c04301e19c (main) (follow-up)

Связанные уязвимости

ubuntu логотип

CVE-2022-32212

CVSS3: 8.1
ubuntu
больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

redhat логотип

CVE-2022-32212

CVSS3: 7.5
redhat
больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

nvd логотип

CVE-2022-32212

CVSS3: 8.1
nvd
больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

msrc логотип

CVE-2022-32212

CVSS3: 8.1
msrc
около 3 лет назад

Описание отсутствует

github логотип

GHSA-w95h-2gj2-x2p4

CVSS3: 8.1
github
больше 3 лет назад

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.