Incorrect Default Permissions in log4js
Moderate severity
GitHub Reviewed
Published
Jan 19, 2022
in
log4js-node/log4js-node
•
Updated Jan 24, 2024
Description
Reviewed
Jan 19, 2022
Published by the National Vulnerability Database
Jan 19, 2022
Published to the GitHub Advisory Database
Jan 21, 2022
Last updated
Jan 24, 2024
Impact
Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.
Patches
Fixed by:
Released to NPM in log4js@6.4.0
Workarounds
Every version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.
References
Thanks to ranjit-git for raising the issue, and to @lamweili for fixing the problem.
For more information
If you have any questions or comments about this advisory:
References