CVE-2022-43548

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

CVSS v3.0 8.1 HIGH

8.1^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/	Patch Vendor Advisory
https://security.netapp.com/advisory/ntap-20230120-0004/	Third Party Advisory
https://www.debian.org/security/2023/dsa-5326	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:19.0.0::::-:::
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::lts:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:18.12.0::::lts:::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Information

Published : 2022-12-05 14:15

Updated : 2023-03-01 08:36

NVD link : CVE-2022-43548

Mitre link : CVE-2022-43548

JSON object : View

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Products Affected

debian

debian_linux

nodejs

node.js

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/", "name": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20230120-0004/", "name": "https://security.netapp.com/advisory/ntap-20230120-0004/", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://www.debian.org/security/2023/dsa-5326", "name": "DSA-5326", "tags": ["Third Party Advisory"], "refsource": "DEBIAN"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html", "name": "[debian-lts-announce] 20230226 [SECURITY] [DLA 3344-1] nodejs security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-78"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-43548", "ASSIGNER": "cve-assignments@hackerone.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}}, "publishedDate": "2022-12-05T22:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "14.14.0", "versionStartIncluding": "14.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "16.12.0", "versionStartIncluding": "16.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:19.0.0:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16.18.1", "versionStartIncluding": "16.13.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "14.21.1", "versionStartIncluding": "14.15.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "18.11.0", "versionStartIncluding": "18.0.0"}, {"cpe23Uri": "cpe:2.3:a:nodejs:node.js:18.12.0:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-01T16:36Z"}

8.1 /10