What is the severity of CVE-2022-21704?

CVE-2022-21704 has a CVSS v3 score of 5.5, which is classified as Medium severity.

Is there an exploit available for CVE-2022-21704?

No known public exploits are currently available for CVE-2022-21704.

Is there a patch available for CVE-2022-21704?

Yes, patches are available for CVE-2022-21704. Check the vendor advisories for update instructions.

CVE-2022-21704 - CVE Details, Severity, and Analysis

Q: What is CVE-2022-21704?

### Impact Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config. ### Patches Fixed by: * https://github.com/log4js-node/log4js-node/pull/1141 * https://github.com/log4js-node/streamroller/pull/87 Released to NPM in log4js@6.4.0 ### Workarounds Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details. ### References Thanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @lamweili for fixing the problem. ### For more information If you have any questions or comments about this advisory: * Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node) * Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI) * Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)

Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives

PoC for every finding

30+ tools orchestrated

Book a Demo Learn More

Setup in 5 minutesSOC 2 & ISO 27001

CVE-2022-21704 - CVE Details, Severity, and Analysis | Strobes VI

Severity Scores

CVSS v35.5

CVSS v22.1

Priority Score125.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

5.5

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.

Patches

Fixed by:

https://github.com/log4js-node/log4js-node/pull/1141
https://github.com/log4js-node/streamroller/pull/87

Released to NPM in [email protected]

Workarounds

Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.

References

Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.

For more information

If you have any questions or comments about this advisory:

Open an issue in logj4s-node
Ask a question in the slack channel
Email us at [email protected]

CVSS v3 Breakdown

Attack Vector:Local

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:Network

Availability:Network

Patch References

Github.com Security [email protected]Security [email protected]

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Log4js Project	Log4js
Debian