Incorrect Default Permissions in log4js-node
CVE-2022-21704

5.5MEDIUM

Key Information:

Vendor

Log4js-node

Status
Log4js-node
Vendor
CVE Published:
19 January 2022

What is CVE-2022-21704?

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

log4js-node < 6.4.0

References

https://github.com/log4js-node/log4js-node/security/advis...
https://github.com/log4js-node/log4js-node/pull/1141/comm...
https://github.com/log4js-node/streamroller/pull/87

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.