CVE-2022-36127
Published: 18 July 2022
Summary
CVE-2022-36127 is a high-severity an unspecified weakness vulnerability in Apache Skywalking Nodejs Agent. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2022-36127 resides in Apache SkyWalking NodeJS Agent versions prior to 0.5.1. When the Observability Analysis Platform (OAP) is unhealthy and the agent cannot establish a connection, affected NodeJS services become unavailable, producing a CVSS 7.5 impact strictly on availability.
An unauthenticated network attacker can trigger the condition by preventing the agent from reaching a healthy OAP instance, resulting in denial of service to the instrumented NodeJS application without any privileges or user interaction required.
Public advisories and patch information are available in the referenced Apache mailing-list threads and OpenWall oss-security postings, which document the fix released in version 0.5.1.
The associated EPSS score has remained flat at 0.0516 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6291
Vulnerability details
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.