CVE-2022-43548

CVSS v3.1 8.1 (High)

EPSS 0.65 % (80^th)

Affected Products 2

Advisories 33

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in CVE-2022-32212">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

Weaknesses

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Related CVEs

CVE-2022-32212

CVE Status: PUBLISHED
CNA: HackerOne
Published Date: 2022-12-05 22:15:10
(21 months ago)
Updated Date: 2023-04-27 15:15:09
(16 months ago)

Affected Products

Debian

Debian Linux

Nodejs

Node.js

Configuration #1

	CPE23	From	Up To
Nodejs Node.js from 14.0.0 version and 14.14.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 14.0.0	<= 14.14.0
Nodejs Node.js from 14.15.0 version and prior 14.21.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 14.15.0	< 14.21.1
Nodejs Node.js from 16.0.0 version and 16.12.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 16.0.0	<= 16.12.0
Nodejs Node.js from 16.13.0 version and prior 16.18.1 version	cpe:2.3:a:nodejs:node.js::::*:lts	>= 16.13.0	< 16.18.1
Nodejs Node.js from 18.0.0 version and 18.11.0 and prior versions	cpe:2.3:a:nodejs:node.js::::*:-	>= 18.0.0	<= 18.11.0
Nodejs Node.js 18.12.0	cpe:2.3:a:nodejs:node.js:18.12.0:::*:lts
Nodejs Node.js 19.0.0	cpe:2.3:a:nodejs:node.js:19.0.0:::*:-

Configuration #2

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0
	Debian Linux 11.0	cpe:2.3:o:debian:debian_linux:11.0