Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04MnYyLW14Nngtd3E3cc0kfw
Incorrect Default Permissions in log4js
Impact
Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.
Patches
Fixed by:
- https://github.com/log4js-node/log4js-node/pull/1141
- https://github.com/log4js-node/streamroller/pull/87
Released to NPM in [email protected]
Workarounds
Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.
References
Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.
For more information
If you have any questions or comments about this advisory:
- Open an issue in logj4s-node
- Ask a question in the slack channel
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04MnYyLW14Nngtd3E3cc0kfw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-82v2-mx6x-wq7q, CVE-2022-21704
References:
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/streamroller/pull/87
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://nvd.nist.gov/vuln/detail/CVE-2022-21704
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
- https://github.com/advisories/GHSA-82v2-mx6x-wq7q
Blast Radius: 32.4
Affected Packages
npm:log4js
Dependent packages: 4,246Dependent repositories: 769,846
Downloads: 15,552,156 last month
Affected Version Ranges: < 6.4.0
Fixed in: 6.4.0
All affected versions: 0.1.0, 0.2.0, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.6.13, 0.6.14, 0.6.15, 0.6.16, 0.6.17, 0.6.18, 0.6.19, 0.6.20, 0.6.21, 0.6.22, 0.6.23, 0.6.24, 0.6.25, 0.6.26, 0.6.27, 0.6.28, 0.6.29, 0.6.30, 0.6.31, 0.6.32, 0.6.33, 0.6.34, 0.6.35, 0.6.36, 0.6.37, 0.6.38, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.5.0, 4.5.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0
All unaffected versions: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.8.0, 6.9.0, 6.9.1