Information Exposure Affecting log4js package, versions <6.4.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (20th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Information Exposure vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-LOG4JS-2348757
  • published20 Jan 2022
  • disclosed20 Jan 2022
  • creditLam Wei Li, ranjit-git

Introduced: 20 Jan 2022

CVE-2022-21704  (opens in a new tab)
CWE-276  (opens in a new tab)

How to fix?

Upgrade log4js to version 6.4.0 or higher.

Overview

log4js is a Port of Log4js to work with node.

Affected versions of this package are vulnerable to Information Exposure via the default file permissions for log files that are created by the file, fileSync and dateFile appenders which are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

CVSS Scores

version 3.1