7.3

CVE-2022-32223

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.

Data is provided by the National Vulnerability Database (NVD)
NodejsNode.Js SwEdition- Version >= 14.0.0 <= 14.14.0
   MicrosoftWindows Version-
NodejsNode.Js SwEditionlts Version >= 14.14.0 < 14.20.0
   MicrosoftWindows Version-
NodejsNode.Js SwEdition- Version >= 16.0.0 <= 16.12.0
   MicrosoftWindows Version-
NodejsNode.Js SwEditionlts Version >= 16.13.0 < 16.16.0
   MicrosoftWindows Version-
NodejsNode.Js SwEdition- Version >= 18.0.0 < 18.0.5
   MicrosoftWindows Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 9.06% 0.923
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.3 1.3 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.