ubuntu-cve-2022-21704
Vulnerability from osv_ubuntu
Published
2022-01-19 23:15
Modified
2025-10-24 04:53
Summary
Details
log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.
Severity
5.5 (Medium)
5.5 (Medium)
N/A (UNKNOWN)
References
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "node-log4js",
"binary_version": "0.6.18-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "node-log4js",
"purl": "pkg:deb/ubuntu/node-log4js@0.6.18-1?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.18-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "node-log4js",
"binary_version": "0.6.18-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "node-log4js",
"purl": "pkg:deb/ubuntu/node-log4js@0.6.18-1?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.18-1"
]
},
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "node-log4js",
"binary_version": "6.1.0-1"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "node-log4js",
"purl": "pkg:deb/ubuntu/node-log4js@6.1.0-1?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.5.1-3",
"5.2.1-1",
"6.1.0-1"
]
}
],
"aliases": [],
"details": "log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.",
"id": "UBUNTU-CVE-2022-21704",
"modified": "2025-10-24T04:53:26Z",
"published": "2022-01-19T23:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21704"
},
{
"type": "REPORT",
"url": "https://github.com/log4js-node/log4js-node/pull/1141"
},
{
"type": "REPORT",
"url": "https://github.com/log4js-node/streamroller/pull/87"
},
{
"type": "REPORT",
"url": "https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q"
},
{
"type": "REPORT",
"url": "https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21704"
}
],
"related": [],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2022-21704"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…