CVE-2022-32222

CWE-310CWE-427CWE-326CWE-736 documents6 sources
Severity
5.3MEDIUM
EPSS
0.6%
top 29.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nodejs NodeNodejs Node.jsSiemens Sinec INS
Timeline
PublishedJul 14
Latest updateApr 9

Description

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+14
NVDnodejs/node.js18.0.018.5.0
NVDsiemens/sinec_ins< 1.0+1

🔴Vulnerability Details

2
GHSA
GHSA-fxfc-w6xq-5pp8: A cryptographic vulnerability exists on Node2022-07-15
CVEList
CVE-2022-32222: A cryptographic vulnerability exists on Node2022-07-14

📋Vendor Advisories

2
Red Hat
nodejs: potential openssl.cnf hijack2022-07-08
Debian
CVE-2022-32222: nodejs - A cryptographic vulnerability exists on Node.js on linux in versions of 18.x pri...2022

💬Community

1
HackerOne
Inadequate Encryption Strength in nodejs-current reads openssl.cnf from /home/iojs/build/... upon startup on MacOS2023-04-09
CVE-2022-32222 (MEDIUM CVSS 5.3) | A cryptographic vulnerability exist | cvebase.io