CVE-2022-21704: 
JavaScript vulnerability analysis and mitigation

CVE-2022-21704 affects log4js-node, a port of log4js to node.js. The vulnerability was discovered in versions prior to 6.4.0, where default file permissions for log files created by the file, fileSync, and dateFile appenders were set to world-readable (0o644) in Unix systems. This security issue was disclosed on January 19, 2022, and could potentially expose sensitive information in log files (GitHub Advisory).

The vulnerability stems from incorrect default permissions (0o644) set for log files, which made them world-readable. This affects the file, fileSync, and dateFile appenders in the log4js-node package. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-276 (Incorrect Default Permissions) (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information. Since log files were created with world-readable permissions by default, any user on the system could read the log files if they contained sensitive data. This particularly affects users who had not explicitly set their own file permissions through the mode parameter in the configuration (GitHub Advisory).

The issue has been fixed in version 6.4.0 of log4js-node by changing the default file permissions from 0o644 to 0o600. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, a workaround is available by explicitly setting the mode parameter in the appender configuration to restrict file permissions (GitHub Commit).

The vulnerability was addressed in various distributions, including Debian, which released security updates to address this issue. Debian provided the fix in version 4.0.2-2+deb10u1 for Debian 10 (buster) (Debian Advisory).