CVE-2022-21824
Description
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Risk Information
Base Score
8.2
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score
Exploitation Probability
0.335
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (x64) (12.22.9) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (12.22.9) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (x64) (14.18.3) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (14.18.3) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (x64) (16.13.2) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (16.13.2) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (17.9.1) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (x64) (17.9.1) | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1.6 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Insight 2.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1 | Windows |
| Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Workflow Automation 2.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 18.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0.0.3 | Windows |
| Multiple Vulnerabilities are affected in MySQL Cluster 8.0.29 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.2 | Windows |
| nodejs security update(DSA-5170-1) nodejs_12.22.12~dfsg-1~deb11u1_amd64.deb | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| Nodejs update (ELSA-2022-9073-1) nodejs-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-devel update (ELSA-2022-9073-1) nodejs-devel-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-docs update (ELSA-2022-9073-1) nodejs-docs-16.18.1-3.module+el8.7.0+20893+df13f383.noarch.rpm | Linux |
| Nodejs-full-i18n update (ELSA-2022-9073-1) nodejs-full-i18n-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-nodemon update (ELSA-2022-9073-1) nodejs-nodemon-2.0.20-2.module+el8.7.0+20893+df13f383.noarch.rpm | Linux |
| Nodejs-packaging update (ELSA-2022-9073-1) nodejs-packaging-25-1.module+el8.5.0+20388+4b61e68d.noarch.rpm | Linux |
| Npm update (ELSA-2022-9073-1) npm-8.19.2-1.16.18.1.3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| (RHSA-2022:9073) nodejs:16 security, bug fix, and enhancement update nodejs-nodemon-2.0.20-2.module+el8.7.0+17412+bb0e4a6b.noarch.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-docs-18.12.1-1.amzn2023.0.2.noarch.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-331257 | Node.js 16 (x64) (16.20.1) |
| PATCH-331256 | Node.js 16 (16.20.1) |
| PATCH-325140 | Node.js 17 (17.9.1) |
| PATCH-325141 | Node.js 17 (x64) (17.9.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234