Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Published

2022-07-14T15:15:08.237

Last Modified

2024-11-21T07:05:56.093

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nodejs	node.js	≤ 14.14.0	Yes
Application	nodejs	node.js	< 14.20.1	Yes
Application	nodejs	node.js	≤ 16.12.0	Yes
Application	nodejs	node.js	< 16.17.1	Yes
Application	nodejs	node.js	< 18.5.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	fedoraproject	fedora	37	Yes
Application	siemens	sinec_ins	< 1.0	Yes
Application	siemens	sinec_ins	1.0	Yes
Application	siemens	sinec_ins	1.0	Yes

References

https://hackerone.com/reports/1632921 ([email protected])
https://hackerone.com/reports/1632921 (af854a3a-2127-422b-91ae-364da2661108)