CVE-2022-21704
Information Disclosure vulnerability in log4js (npm)
What is CVE-2022-21704 About?
The `log4js-node` package in all versions can create log files with world-readable default file permissions (in Unix environments). This allows unauthorized disclosure of potentially sensitive information contained in log files. Exploitation is trivial for any local user.
Affected Software
Technical Details
The vulnerability in log4js-node (via log4js@6.4.0 and streamroller updates) relates to insecure default file permissions. When the file, fileSync, and dateFile appenders create log files on Unix-like operating systems, they are assigned world-readable permissions by default if the mode parameter is not explicitly supplied in the configuration. This means that any local user on the system can read the contents of these log files. If these log files contain sensitive data such as API keys, personal identifiable information (PII), or system configurations, this can lead to unauthorized information disclosure.
What is the Impact of CVE-2022-21704?
Successful exploitation may allow attackers to access sensitive information from log files, leading to data breaches or further system compromise.
What is the Exploitability of CVE-2022-21704?
Exploitation of this vulnerability is very low in complexity. It primarily relies on the default configuration where the mode parameter for log file appenders (file, fileSync, dateFile) is not explicitly set, leading to world-readable permissions on Unix-like systems. This vulnerability requires local access to the system where log4js-node is running. No authentication or specific privileges are needed for a local user to read these world-readable files. The main risk factor is the deployment of log4js-node without specifying secure file permissions, allowing any local user to easily access log contents.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21704?
Available Upgrade Options
- log4js
- <6.4.0 → Upgrade to 6.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/log4js-node/log4js-node
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/streamroller/pull/87
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://osv.dev/vulnerability/GHSA-82v2-mx6x-wq7q
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://lists.debian.org/debian-lts-announce/2022/12/msg00014.html
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
What are Similar Vulnerabilities to CVE-2022-21704?
Similar Vulnerabilities: CVE-2021-39185 , CVE-2021-23425 , CVE-2015-8979 , CVE-2014-0060 , CVE-2020-13768
