QwikSec

Security Database

CVE

CWE

Training

CVE-2022-21704

Published: Jan 19, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Vendor	Product	Versions
log4js-node	log4js-node	affected `< 6.4.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q

https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76

https://github.com/log4js-node/streamroller/pull/87

https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640

[debian-lts-announce] 20221206 [SECURITY] [DLA 3229-1] node-log4js security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.