CVE-2022-32222

Advisory lineage Upstream: 0 Downstream: 1
Downstream
MGASA-2022-0294
Modified
Published: 14 Jul 2022, 00:00
Last modified:30 Apr 2025, 22:24

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
5.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.62% LOW
1% probability +0.23%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

14 Jul 2022, 00:00
Published
Vulnerability first disclosed
30 Apr 2025, 22:24
Last Modified
Vulnerability information updated

Description

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Trends

Current EPSS score: 0.62% Percentile: 70%

Techniques & Countermeasures

  • CWE-427Uncontrolled Search Path Element

    The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

  • CWE-310Cryptographic Issues

    Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Affected Systems

  • nodejsnode

    ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.* | ≥ 13.0, < 13.* | ≥ 14.0, < 14.20.0 | ≥ 15.0, < 15.* | ≥ 16.0, < 16.20.0 | ≥ 17.0, < 17.* | ≥ 18.0, < 18.9.1

  • nodejsnode.js

    ≥ 18.0.0, < 18.5.0

  • siemenssinec_ins

    < 1.0 | 1.0 | 1.0:sp1 | 1.0:sp2

References (1)