Home > Vulnerability Database > CVE-2022-31004

Mend.io Vulnerability Database

CVE-2022-31004

Date: May 25, 2022

CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-31004

Url: https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83

Url: https://www.mend.io/vulnerability-database/CVE-2022-31004

Severity Score

7.5

Weakness Type (CWE)

Logging of Excessive Data

CWE-779

Cleartext Storage of Sensitive Information

CWE-312

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-31004

Date: May 25, 2022

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?