WARNING: OS COMMAND INJECTION VULNERABILITY IN NODE.JS
CVE-2022-43548
CVSSv3.1: 8.1
Vector v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Bronnen
- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43548
Risico’s
Node.JS has released a security update for Node.JS. This update resolves 3 vulnerabilities, including an OS Command Injection Vulnerability.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Beschrijving
An OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Affected products
Node.js is an open-source, cross-platform JavaScript runtime environment. As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications.
Aanbevolen acties
Update the installation to one of the latest versions:
- Version 14.21.1
- Version 16.18.1
- Version 18.12.1
- Version 19.0.1