CVE-2022-32222

NameCVE-2022-32222
DescriptionA cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)buster10.24.0~dfsg-1~deb10u1fixed
buster (security)10.24.0~dfsg-1~deb10u2fixed
bullseye12.22.5~dfsg-2~11u1fixed
bullseye (security)12.22.12~dfsg-1~deb11u1fixed
bookworm, sid18.12.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)(not affected)

Notes

- nodejs <not-affected> (Specific to Node 18 and nodejs-distributed binaries)
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#attempt-to-read-openssl-cnf-from-home-iojs-build-upon-startup-medium-cve-2022-32222
https://github.com/nodejs/node/commit/a5fc2deb43f85dc2195a1fe1683b9c2e7443b001

Search for package or bug name: Reporting problems