CVE-2022-21704 — Incorrect Default Permissions in Log4js-node

CWE-276 — Incorrect Default Permissions14 documents5 sources

Severity

5.5MEDIUMNVD

OSV4.7

EPSS

0.1%

top 65.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Log4js-node Log4js Project Log4js Linux Kernel +2 more

Timeline

PublishedJan 19

Latest updateMar 24

Description

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/node-log4js< node-log4js 6.4.1+~cs8.3.5-1 (bookworm)

▶CVEListV5log4js-node/log4js-node< 6.4.0

▶NVDlog4js_project/log4js< 6.4.0

▶npmlog4js_project/log4js< 6.4.0

▶Ubuntulinux/linux_kernel< 4.4.0-278.312+1

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

linux-azure, linux-azure-4.15 vulnerabilities↗2026-03-24

▶

OSV

linux-azure vulnerabilities↗2026-03-24

▶

OSV

linux-azure-fips vulnerabilities↗2026-03-24

▶

OSV

linux-aws-fips, linux-fips, linux-gcp-fips vulnerabilities↗2026-03-20

▶

OSV

linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities↗2026-03-20

▶

📋Vendor Advisories

Debian

CVE-2022-21704: node-log4js - log4js-node is a port of log4js to node.js. In affected versions default file pe...↗2022

▶

📄Research Papers

arXiv

Attack Techniques and Threat Identification for Vulnerabilities↗2022-06-22

▶