Plattform
nodejs
Komponente
eventsource
Behoben in
2.0.2
2.0.2
2.0.2
CVE-2022-1650 describes a vulnerability in the eventsource package, affecting versions from 0.0.0 up to and including v2.0.2. This vulnerability results in Improper Removal of Sensitive Information before storage or transfer. The vulnerability allows attackers to potentially access sensitive data. Upgrade to version v2.0.2 to address this issue.
The vulnerability in eventsource allows an attacker to potentially expose sensitive information due to improper removal before storage or transfer. This can occur if the package is used in a context where it handles sensitive data. An attacker could craft a malicious event source that exposes sensitive data to an unauthorized actor. The potential impact includes data breaches, unauthorized access to systems, and reputational damage. The blast radius is dependent on the applications using the vulnerable eventsource package.
CVE-2022-1650 is not currently listed on KEV or EPSS. The CVSS score of 8.1 (High) indicates a significant risk. Public proof-of-concept (POC) exploits are not widely available. Published by the NVD on 2022-05-12.
Applications built using Node.js that rely on the eventsource library for event streaming or long-polling functionality are at risk. This includes web applications, backend services, and any other systems integrating this library. Developers who haven't recently reviewed their dependencies are particularly vulnerable.
• nodejs / server:
npm list eventsourceThis command will list the installed version of the eventsource library. If the version is less than v2.0.2, the system is vulnerable.
• nodejs / server:
npm audit eventsourceThis command will check for known vulnerabilities in the eventsource library and report any findings.
• generic web:
Review application code for instances where the eventsource library is used. Look for potential data leakage points where sensitive information might be passed to or from the library without proper sanitization.
disclosure
Exploit-Status
EPSS
1.14% (78% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-1650 is to upgrade the eventsource package to version v2.0.2 or later. If upgrading is not immediately possible, carefully review all data handled by the package and ensure that sensitive information is properly sanitized and removed before storage or transfer. Implement strict input validation and sanitization to prevent attackers from injecting malicious event sources. After upgrade, confirm by testing event source handling to ensure sensitive data is properly protected.
Actualice la biblioteca eventsource a la versión 2.0.2 o superior. Esto corrige la vulnerabilidad que permite la exposición de información sensible antes de ser almacenada o transferida.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-1650 is a HIGH severity information disclosure vulnerability affecting the eventsource library in Node.js applications. It allows sensitive data to be exposed due to improper removal before storage or transfer.
You are affected if your Node.js application uses the eventsource library in versions 0.0.0 through v2.0.2. Check your dependencies with npm list eventsource.
Upgrade the eventsource library to version v2.0.2 or later using npm install eventsource@latest.
There is currently no evidence of active exploitation campaigns targeting CVE-2022-1650, but it's crucial to patch promptly.
Refer to the GitHub repository eventsource/eventsource for details: https://github.com/eventsource/eventsource/issues/118
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.