CVE-2022-32212

CVSS v3.1 8.1 (High)

EPSS 0.11 % (45^th)

Affected Products 4

Advisories 29

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Weaknesses

CWE-284: Improper Access Control
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Related CVEs

CVE-2022-43548

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2022-07-14 15:15:08
(2 years ago)
Updated Date: 2023-02-23 20:15:12
(19 months ago)

Affected Products

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 14.0.0 version and 14.14.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	<= 14.14.0
Nodejs Node.js from 14.15.0 version and prior 14.20.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 14.15.0	< 14.20.1
Nodejs Node.js from 16.0.0 version and 16.12.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	<= 16.12.0
Nodejs Node.js from 16.13.0 version and prior 16.17.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 16.13.0	< 16.17.1
Nodejs Node.js from 18.0.0 version and prior 18.5.0 version	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	< 18.5.0

Configuration #2

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0
	Fedoraproject Fedora 35	cpe:2.3:o:fedoraproject:fedora:35
	Fedoraproject Fedora 36	cpe:2.3:o:fedoraproject:fedora:36
	Fedoraproject Fedora 37	cpe:2.3:o:fedoraproject:fedora:37

Configuration #3

	CPE23	Up To
Siemens Sinec Ins prior 1.0 version	cpe:2.3:a:siemens:sinec_ins	< 1.0
Siemens Sinec Ins 1.0	cpe:2.3:a:siemens:sinec_ins:1.0:-
Siemens Sinec Ins 1.0 SP1	cpe:2.3:a:siemens:sinec_ins:1.0:sp1

Weaknesses

Related CVEs

Affected Products

Debian

Fedoraproject

Nodejs

Siemens

Configuration #1

Configuration #2

Configuration #3