Security Bulletin #22-004 - Node.js external library vulnerability

First published: 13th July 2022
Last updated: 13th July 2022
Severity: None


A vulnerability has been found in the implementation of Node.js. This affects the following supported DriveLock products (supported by the time this bulletin was created):

  • DriveLock 2020.2
  • DriveLock 2021.1
  • DriveLock 2021.2
  • DriveLock 2022.1


The detected vulnerabilities in in Node.js allow execution of arbitrary code by a remote & anonymous attacker, which can be used to manipulate or circumvent security mechanisms.

The vulnerabilities CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222, CVE-2022-32223 are collected in WID-SEC-2022-0621, the vulnerabilities with classification “High” are written in bold.

CVE-2022-32212: Only vulnerable via the command-line switch node --inspect, which enables the debugging interface of node and is not used by the DES server. It's not possible to pass arbitrary arguments to the node runtime for a remote user, therefore this vulnerability cannot be exploited.

CVE-2022-32213, CVE-2022-32214, CVE-2022-32215: HTTP Request Smuggling is not possible because the node http api is behind a reverse proxy which does its own header parsing and validation.

CVE-2022-32222: Not applicable because it only affects Linux systems and the attacker would need local access to the DES.

CVE-2022-32223: The attacker needs local access to the DES server and needs write access to the DES service's user profile. Using the DES server alone, there is no way to exploit this remotely.



Drivelock cannot be targeted using these exploits.

How to update your environment

Customers do not need to update their environment.
Nevertheless we always recommend to use the latest available version.