CVE-2022-32222

moderate-risk
Published 2022-07-14

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.

Do I need to act?

-
0.62% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Siemens Nodejs

References (2)

Exploit https://hackerone.com/reports/1695596
Exploit https://hackerone.com/reports/1695596
35
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 2/34 · Minimal
Exposure 12/34 · Low