CVE-2022-43548

CVE Details

Release Date:	2022-12-05
Impact:	None	What is this?

Description

A Command njection vulnerability exists in ode.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient sAllowedHost check that can easily be bypassed because sAddress does not properly check if an address is invalid before making DB requests allowing rebinding attacks.The fix for this issue in https:cve.mitre.orgcgi-bincvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.

See more information about CVE-2022-43548 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	8.1
Vector String:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version:	3.0
Attack Vector:	Network
Attack Complexity:	High
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	High
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (nodejs)	ELSA-2022-8833	2022-12-08
Oracle Linux version 8 (nodejs)	ELSA-2022-9073-1	2022-12-16
Oracle Linux version 8 (nodejs)	ELSA-2023-0050	2023-01-09
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2022-8833	2022-12-08
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2022-9073-1	2022-12-16
Oracle Linux version 8 (nodejs-nodemon)	ELSA-2023-0050	2023-01-09
Oracle Linux version 8 (nodejs-packaging)	ELSA-2022-8833	2022-12-08
Oracle Linux version 8 (nodejs-packaging)	ELSA-2022-9073-1	2022-12-16
Oracle Linux version 8 (nodejs-packaging)	ELSA-2023-0050	2023-01-09
Oracle Linux version 9 (nodejs)	ELSA-2022-8832	2022-12-09
Oracle Linux version 9 (nodejs)	ELSA-2023-0321	2023-01-24
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2022-8832	2022-12-09
Oracle Linux version 9 (nodejs-nodemon)	ELSA-2023-0321	2023-01-24
Oracle Linux version 9 (nodejs-packaging)	ELSA-2022-8832	2022-12-09