CVE-2022-21704

Name of the Vulnerable Software and Affected Versions log4js-node versions prior to 6.4.0

Description The issue is related to the default file permissions for log files created by the file, fileSync, and dateFile appenders in log4js-node, which are world-readable in Unix. This could cause problems if log files contain sensitive information, affecting users who have not supplied their own permissions for the files via the mode parameter in the config.

Recommendations For versions prior to 6.4.0, update to log4js@6.4.0 to fix the issue. As a temporary workaround, consider passing the mode parameter to the configuration of file appenders to set custom permissions, as allowed by every version of log4js.