A new version of log4js is now available. This version contains a fix for a potential cross-site request forgery (CSRF) attack vector. In versions of log4js prior to 1.2.15 and 1.3.10, setting a user's id as a value for a custom appender could result in a potential CSRF attack vector. Setting a custom appender's userId to the id of a user not associated with the appender's configuration could cause a CSRF attack. In versions 1.2.15 and 1.3.10, setting a user's id as a value for a custom appender could result in a potential CSRF attack vector. Setting a custom appender's userId to the id of a user not associated with the appender's configuration could cause a CSRF attack. A new version of log4js is now available and contains a fix for this issue. Users are advised to update as soon as possible.
What is log4js?
Log4js is a logging library for Node.js and the browser. It provides an easy-to-use abstraction of loggers, appenders, filters, and levels which can be used on any platform. In addition to producing logs for debugging or monitoring purposes, log4js can also be used with other libraries to provide structured domain logic within the application itself.
The following blog post discusses important information about a new version of log4js that contains a fix for potential CSRF attack vectors.
What is CSRF?
Cross-site request forgery (CSRF) is a security vulnerability that allows malicious actors to hijack the authentication of unsuspecting users on a website by tricking them into clicking on a specially crafted link. The vulnerability occurs because web applications do not perform any checks on the origin of browser requests and are vulnerable to "man-in-the-middle" attacks. A CSRF exploit can result in unauthorized access to user data, including passwords and session cookies.
Overview of the Issue
A new version of log4js is now available and contains a fix for this issue. Users are advised to update as soon as possible. This version contains a fix for a potential cross-site request forgery (CSRF) attack vector. In versions of log4js prior to 1.2.15 and 1.3.10, setting a user's id as a value for a custom appender could result in a potential CSRF attack vector. Setting a custom appender's userId to the id of a user not associated with the appender's configuration could cause a CSRF attack. In versions 1.2.15 and 1.3.10, setting a user's id as a value for a custom appender could result in a potential CSRF attack vector. Setting a custom appender's userId to the id of a user not associated with the appender's configuration could cause a CSRF attack.
Timeline
Published on: 01/19/2022 23:15:00 UTC
Last modified on: 01/27/2022 16:50:00 UTC
References
- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640
- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76
- https://github.com/log4js-node/streamroller/pull/87
- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21704