CVE-2022-32212

Public on 2022-07-14
Modified on 2024-01-12
Description
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Severity
Medium severity
Medium
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core nodejs Not Affected
Amazon Linux 2023 nodejs 2023-02-17 ALAS2023-2023-084 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H