8.1

CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

Data is provided by the National Vulnerability Database (NVD)
NodejsNode.Js SwEdition- Version >= 14.0.0 <= 14.14.0
NodejsNode.Js SwEditionlts Version >= 14.15.0 < 14.20.1
NodejsNode.Js SwEdition- Version >= 16.0.0 <= 16.12.0
NodejsNode.Js SwEditionlts Version >= 16.13.0 < 16.17.1
NodejsNode.Js SwEdition- Version >= 18.0.0 < 18.5.0
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
FedoraprojectFedora Version35
FedoraprojectFedora Version36
FedoraprojectFedora Version37
SiemensSinec Ins Version < 1.0
SiemensSinec Ins Version1.0 Update-
SiemensSinec Ins Version1.0 Updatesp1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.08% 0.25
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.