CVE-2022-32212 : A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Published 2022-07-14 15:15:08

Updated 2023-02-23 20:15:12

Source HackerOne

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-32212

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Siemens » Sinec Ins
Versions before (<) 1.0
cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
Matching versions
Siemens » Sinec Ins » Version: 1.0 Update SP1
cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*
Matching versions
Siemens » Sinec Ins » Version: 1.0
cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 37
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 16.13.0 and before (<) 16.17.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 16.0.0 and up to, including, (<=) 16.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 14.15.0 and before (<) 14.20.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 14.0.0 and up to, including, (<=) 14.14.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 18.0.0 and before (<) 18.5.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-32212

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 17 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-32212

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-32212

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: support@hackerone.com (Secondary)

References for CVE-2022-32212

https://hackerone.com/reports/1632921

HackerOne

Jump to

Vulnerability Details : CVE-2022-32212

Products affected by CVE-2022-32212

Exploit prediction scoring system (EPSS) score for CVE-2022-32212

CVSS scores for CVE-2022-32212

CWE ids for CVE-2022-32212

References for CVE-2022-32212