CVE-2022-21704 is a security vulnerability identified in the log4js-node library, a Node.js port of the popular logging framework log4js. The issue pertains to incorrect default file permissions (CWE-276) assigned to log files created by the file, fileSync, and dateFile appenders in affected versions prior to 6.4.0. Specifically, on Unix-based systems, these log files are created with world-readable permissions by default, meaning any user on the system can read the contents of these log files unless the user explicitly configures more restrictive permissions via the 'mode' parameter in the logging configuration. This misconfiguration can lead to unintended exposure of sensitive information contained within the logs, such as authentication tokens, personally identifiable information (PII), or internal system details, which could be leveraged by attackers for further exploitation or reconnaissance. The vulnerability does not require authentication or user interaction to be exploited, but it does require that an attacker has access to the underlying filesystem or user accounts on the affected system. There are no known exploits in the wild at the time of reporting, and no official patch links were provided, but users are advised to update to version 6.4.0 or later where this issue is resolved by setting more secure default permissions. The vulnerability primarily impacts Unix-like environments where file permissions are critical to security posture. Since the issue arises from default configurations, it can affect a broad range of applications and services that rely on log4js-node for logging without custom permission settings.

For European organizations, the exposure of sensitive log files due to overly permissive default file permissions can have significant consequences. Confidential information leakage through logs can lead to data breaches, violating GDPR and other data protection regulations, potentially resulting in heavy fines and reputational damage. Integrity of logs could also be compromised if unauthorized users gain read access and potentially manipulate log data indirectly by exploiting knowledge gained from logs. Availability impact is limited but could arise if attackers use leaked information to escalate privileges or disrupt services. Sectors with high regulatory scrutiny such as finance, healthcare, and critical infrastructure are particularly at risk. Additionally, organizations with multi-tenant environments or shared hosting could face cross-tenant data exposure. Since log4js-node is widely used in Node.js applications, any European company leveraging Node.js backend services without customized secure logging configurations is vulnerable. The risk is exacerbated in environments where system user accounts are shared or not tightly controlled. Overall, the vulnerability poses a medium risk but with potential for serious compliance and operational impacts if exploited.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade log4js-node to version 6.4.0 or later where default file permissions are corrected. 2) Review and explicitly configure the 'mode' parameter in log4js-node appenders to enforce restrictive file permissions (e.g., 0600 or 0640) to ensure logs are only accessible to authorized users. 3) Audit existing log files for exposure and restrict permissions retroactively. 4) Implement strict access controls on servers hosting Node.js applications, limiting user accounts and enforcing least privilege principles. 5) Monitor file system permissions regularly using automated compliance tools to detect overly permissive log files. 6) Educate development and operations teams about secure logging practices, emphasizing the importance of secure default configurations. 7) Consider encrypting sensitive log data at rest or using centralized logging solutions with controlled access. These steps go beyond generic advice by focusing on configuration management, access control, and organizational processes tailored to this specific vulnerability.