Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-32222

Опубликовано: 08 июл. 2022
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

A vulnerability was found in NodeJS. The issue occurs when Node.js starts on Linux based systems and attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily does not exist. This flaw allows an attacker on some shared systems to create this file and affect the default OpenSSL configuration for other users.

Отчет

This issue is specific to the nodejs:v18 stream. This issue is contained within the OpenSSL library bundled upstream. We remove this library during the build and instead, use the one on the system, therefore, this issue does not affect us.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8nodejs:14/nodejsNot affected
Red Hat Enterprise Linux 8nodejs:16/nodejsNot affected
Red Hat Enterprise Linux 8nodejs:18/nodejsNot affected
Red Hat Enterprise Linux 9nodejsNot affected
Red Hat Software Collectionsrh-nodejs14-nodejsNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-73
https://bugzilla.redhat.com/show_bug.cgi?id=2105424nodejs: potential openssl.cnf hijack

EPSS

Процентиль: 61%
0.0042
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-32222

CVSS3: 5.3
ubuntu
почти 3 года назад

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

nvd логотип

CVE-2022-32222

CVSS3: 5.3
nvd
почти 3 года назад

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

debian логотип

CVE-2022-32222

CVSS3: 5.3
debian
почти 3 года назад

A cryptographic vulnerability exists on Node.js on linux in versions o ...

github логотип

GHSA-fxfc-w6xq-5pp8

CVSS3: 5.3
github
почти 3 года назад

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

oracle-oval логотип

ELSA-2022-9955

oracle-oval
больше 2 лет назад

ELSA-2022-9955: GraalVM Security update (IMPORTANT)

EPSS

Процентиль: 61%
0.0042
Низкий

5.3 Medium

CVSS3

Уязвимость CVE-2022-32222