CVE-2022-43548

CWE-78OS Command InjectionCWE-35011 documents9 sources
Severity
8.1HIGH
EPSS
0.6%
top 31.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nodejs NodeNodejs Node.jsDebian Debian Linux
Timeline
PublishedDec 5
Latest updateNov 21

Description

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5nodejs/node4.04.*+15
NVDnodejs/node.js14.15.014.21.1+6
Debiannodejs< 12.22.12~dfsg-1~deb11u3+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: nodejs.orgPatch: nodejs.org

🔴Vulnerability Details

3
GHSA
GHSA-r934-m2c7-26gh: A OS Command Injection vulnerability exists in Node2022-12-06
OSV
CVE-2022-43548: A OS Command Injection vulnerability exists in Node2022-12-05
CVEList
CVE-2022-43548: A OS Command Injection vulnerability exists in Node2022-12-05

📋Vendor Advisories

7
Ubuntu
Node.js vulnerabilities2023-11-21
Oracle
Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech (Node.js) — CVE-2022-435482023-07-15
Oracle
Oracle Oracle MySQL Risk Matrix: Cluster: JS module (Node.js) — CVE-2022-435482023-04-15
Oracle
Oracle Oracle Java SE Risk Matrix: Node (Node.js) — CVE-2022-435482023-01-15
Microsoft
A OS Command Injection vulnerability exists in Node.js versions <14.21.1 <16.18.1 <18.12.1 <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not p2022-12-13
CVE-2022-43548 (HIGH CVSS 8.1) | A OS Command Injection vulnerabilit | cvebase.io