Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2022-32212

CVE information

Published

4 weeks ago

Last Modified

1 week ago

CVSSv3.1 Severity

High

Description

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks..

CVSSv3.1 Score

Severity
High
Base Score
8.1/10
Exploit Score
2.2/10
Access Vector
Network
Access Complexity
High
Privileges Required
None
Impact Score
5.9/10
Confidentiality Impact
High
Availability Impact
High
Integrity Impact
High
Scope
Unchanged
User Interaction
None

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
18.0.0 18.5.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
14.15.0 14.20.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
16.13.0 16.16.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
14.0.0 -
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
16.0.0 -