CVE-2022-0654 An attacker exposed sensitive information in a GitHub repository before 7.0.0.

This issue was resolved in Node.js 7.0.0 by changing the default behavior of Request Retry to reject all requests instead of retrying.

Unauthorized Access to Sensitive Data Prior to 7.0.0.

Unenforced configuration of sensitive data in the process memory of a Node.js application prior to 7.0.0.

Suggested fix: Update Node.js to version 7.0.0 or later. Unenforced data flow into process memory prior to 7.0.0.

Data stored in process memory not encrypted prior to 7.0.0.

Data stored in process memory not obfuscated prior to 7.0.0.

Data stored in process memory not restricted prior to 7.0.0.

Data stored in process memory not tokenized prior to 7.0.0.
If your application uses any of the above insecure data flow practices, it is possible for an attacker to retrieve this data by leveraging vulnerabilities in your application or by using tools like process memory scanning or address information disclosure. Please see the Data Flow Security Guide for more information on securing data flow. PR #4135 The process memory of a Node.js application before Node.js version 7.0.0.

Process memory not restricted prior to 7.0.0.

Process memory not tokenized prior to 7.0.0.

Process memory not obfusc

Unauthorized Access to Sensitive Data Prior to 6.10.0 .

Unenforced configuration of sensitive data in the process memory of a Node.js application prior to 6.10.0.
Suggested fix: Update Node.js to version 6.10.0 or later, where the default behavior changed from returning an HTTP error to rejecting all requests for unauthorized access to sensitive data within your application's process memory. PR #4135 Data stored in process memory not restricted prior to 6.10.0

The process memory of a Node.js application after 7.0.0 .

Process memory not restricted prior to 7.0.0.
Process memory not tokenized prior to 7.0.0.
Process memory not obfuscated prior to 7.0.0.
Data stored in process memory not encrypted prior to 7.0.0.
Data stored in process memory not restricted prior to 7.0.0, with the exception of TLS connections and remote file system access which are restricted by default as of Node 8 and higher

Unauthorized Access to Sensitive Data After 7.0.0

After Node.js version 7.0.0, a vulnerability has been discovered in which the process memory of a Node.js application is not restricted. This issue was resolved in Node.js 7.0.0 by changing the default behavior of Request Retry to reject all requests instead of retrying.

Unenforced configuration of sensitive data in the process memory of a Node.js application after 7.0.0

Timeline

Published on: 02/23/2022 00:15:00 UTC
Last modified on: 03/02/2022 03:16:00 UTC

References

• https://github.com/fgribreau/node-request-retry/commit/0979c6001d9d57c2aac3157c11b007397158922a
• https://huntr.dev/bounties/a779faf5-c2cc-48be-a31d-4ddfac357afc
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0654