Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: OS COMMAND INJECTION VULNERABILITY IN NODE.JS
Image
Published : 14/12/2022
Reference:
Advisory #2022-44
Version:
1.0
Affected software:
Node.JS Node.js 14.x.x prior to 14.21.1
Node.JS Node.js 16.x.x prior to 16.18.1
Node.JS Node.js 18.x.x prior to 18.12.1
Node.JS Node.js 19.x.x prior to 19.0.1
Type:
OS Command Injection Vulnerability
CVE/CVSS:
CVE-2022-43548
CVSSv3.1: 8.1
Vector v3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Sources
- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2022-43548
Risks
Node.JS has released a security update for Node.JS. This update resolves 3 vulnerabilities, including an OS Command Injection Vulnerability.
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
Description
An OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
Affected products
Node.js is an open-source, cross-platform JavaScript runtime environment. As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications.
Recommended Actions
Update the installation to one of the latest versions:
- Version 14.21.1
- Version 16.18.1
- Version 18.12.1
- Version 19.0.1