CVE-2022-21704: Incorrect Default Permissions in log4js-node

Published Jan 19, 2022
·
Updated

Impact Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Patches Fixed by: https://github.com/log4js-node/log4js-node/pull/1141 https://github.com/log4js-node/streamroller/pull/87 Released to NPM in log4js@6.4.0 Workarounds Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details. References Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem. For more information If you have any questions or comments about this advisory: Open an issue in logj4s-node Ask a question in the slack channel Email us at gareth.nomiddlename@gmail.com

Other sources

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

NVD

log4js-node module for Node.js could allow a local authenticated attacker to obtain sensitive information, caused by an issue with the default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable. By gaining access to the log files, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

IBM

Affected Software

4 affected componentsFixes available
npm/log4js<6.4.0
6.4.0
IBM Security Verify Governance<=10.0
Log4js Project Log4js Node.js<6.4.0
Debian Debian Linux=10.0

Remediation

Patch Available

https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76

Patch Available

https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q

Patch Available

https://github.com/log4js-node/streamroller/pull/87

Event History

Jan 19, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Jan 21, 2022
Advisory Published
via GitHub·06:53 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for log4js-node?

The vulnerability ID for log4js-node is CVE-2022-21704.

2

What is the severity of CVE-2022-21704?

CVE-2022-21704 has a severity level of 5.5 (medium).

3

How does log4js-node allow an attacker to obtain sensitive information?

log4js-node allows an attacker to obtain sensitive information by having default file permissions for log files that are world-readable.

4

Which versions of log4js-node are affected by CVE-2022-21704?

Versions up to (but not including) 6.4.0 of log4js-node are affected by CVE-2022-21704.

5

Is there a fix available for CVE-2022-21704?

Yes, a fix is available for CVE-2022-21704 and can be found in the log4js-node GitHub repository.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203