Vulnerability Name:

CVE-2022-0235 (CCN-217758)

Assigned:2022-01-14
Published:2022-01-14
Updated:2023-02-03
Summary:node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.1 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)
5.3 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-601
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-0235

Source: security@huntr.dev
Type: Patch, Third Party Advisory
security@huntr.dev

Source: XF
Type: UNKNOWN
nodejs-cve20220235-info-disc(217758)

Source: security@huntr.dev
Type: Patch, Third Party Advisory
security@huntr.dev

Source: security@huntr.dev
Type: Exploit, Third Party Advisory
security@huntr.dev

Source: security@huntr.dev
Type: Mailing List, Third Party Advisory
security@huntr.dev

Source: CCN
Type: SNYK-JS-NODEFETCH-2342118
Information Exposure

Source: CCN
Type: IBM Security Bulletin 6562843 (Spectrum Protect Plus)
Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243)

Source: CCN
Type: IBM Security Bulletin 6563569 (Cloud Automation Manager)
A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager

Source: CCN
Type: IBM Security Bulletin 6563901 (App Connect Enterprise)
Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235)

Source: CCN
Type: IBM Security Bulletin 6570919 (Robotic Process Automation)
Multiple vulnerabilities may affect IBM Robotic Process Automation

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6578583 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022

Source: CCN
Type: IBM Security Bulletin 6582695 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6621967 (Cloud Pak for Multicloud Management)
A security vulnerability in Nodejs node-fetch affects IBM Cloud Pak for Multicloud Management Managed Services

Source: CCN
Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI

Source: CCN
Type: IBM Security Bulletin 6832944 (Business Automation Manager Open Editions)
Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1

Source: CCN
Type: IBM Security Bulletin 6837327 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands may be vulnerable to loss of confidentiality due to CVE-2022-0235

Source: CCN
Type: IBM Security Bulletin 6838293 (QRadar Assistant)
IBM QRadar Assistant app for IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6980799 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6988633 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js (CVE-2022-0235,CVE-2020-15168)

Source: CCN
Type: IBM Security Bulletin 6997107 (Engineering Requirements Quality Assistant)
There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises

Source: CCN
Type: NPM Web site
node-fetch

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.9.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20230050
    P
    		RHSA-2023:0050: nodejs:14 security, bug fix, and enhancement update (Moderate)
    2023-01-09
    oval:org.opensuse.security:def:483
    P
    		Security update for nodejs8 (Moderate)
    2022-05-17
    oval:org.opensuse.security:def:119580
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:484
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119395
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119205
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:118898
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:118708
    P
    		Security update for nodejs10 (Important)
    2022-05-17
    oval:org.opensuse.security:def:119384
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118886
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:102277
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119194
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118696
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118887
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:102278
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:457
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:118697
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119568
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:1717
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:458
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119383
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119569
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    oval:org.opensuse.security:def:119193
    P
    		Security update for nodejs12 (Important)
    2022-04-28
    oval:org.opensuse.security:def:1718
    P
    		Security update for nodejs14 (Important)
    2022-04-28
    BACK
    nodejs node.js *
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.0
    ibm cloud transformation advisor 2.0.1
    ibm mobilefirst platform foundation 8.0.0.0
    ibm app connect enterprise 12.0.1.0
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm spectrum protect plus 10.1.9.3
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2