Уязвимость CVE-2022-32212: Информация

Описание

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Важность: HIGH (8,1) Вектор: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

1. Подверженные конфигурации:

   1. Конфигурация 1

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      18.0.0

      End excliding

      18.5.0

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      14.0.0

      End including

      14.14.0

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      16.0.0

      End including

      16.12.0

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

      Start including

      14.15.0

      End excliding

      14.20.1

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

      Start including

      16.13.0

      End excliding

      16.17.1

      ---

      Конфигурация 2

      cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

      ---

      Конфигурация 3

      cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*

      ---

      cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*

      End excliding

      1.0

      ---

      cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*

      ---