CVE-2022-21704

Name: CVE-2022-21704
Creator: NVD / NIST
Published: 2022-01-19T23:15:08.177+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 0.30%

Last modified Jun 17, 2026

CVE-2022-21704 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). EPSS estimates a 0.30% chance of exploitation in the next 30 days.

Description

log4js-node is a port of log4js to node.js. In affected versions default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. Users are advised to update.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.30%

21.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Log4js Project	Log4js	< 6.4.0
Debian	Debian Linux	10.0

References

https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640Release Notes, Third Party Advisory
https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76Patch, Third Party Advisory
https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7qPatch, Third Party Advisory
https://github.com/log4js-node/streamroller/pull/87Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00014.htmlMailing List, Third Party Advisory
https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640Release Notes, Third Party Advisory
https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76Patch, Third Party Advisory
https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7qPatch, Third Party Advisory
https://github.com/log4js-node/streamroller/pull/87Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00014.htmlMailing List, Third Party Advisory

Timeline

Published: Jan 19, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-21704?

How severe is CVE-2022-21704?

CVE-2022-21704 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.30% probability of exploitation in the next 30 days.

How do I fix CVE-2022-21704?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-21704?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST