CVE-2021-44532

Exploit

EPSS 0.12%
Published 24.02.2022 19:15:09
Last modified 21.11.2024 06:31:10
Source support@hackerone.com
Teams watchlist Login
Open Login

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Affected products Warnungen 0 Metrics 3 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEdition- Version < 12.22.9

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 < 14.18.3

Nodejs ≫ Node.Js SwEdition- Version >= 16.0.0 < 16.13.2

Nodejs ≫ Node.Js SwEdition- Version >= 17.0.0 < 17.3.1

Oracle ≫ Graalvm Version20.3.5 SwEditionenterprise

Oracle ≫ Graalvm Version21.3.1 SwEditionenterprise

Oracle ≫ Graalvm Version22.0.0.2 SwEditionenterprise

Oracle ≫ Mysql Cluster Version <= 8.0.29

Oracle ≫ Mysql Connectors Version <= 8.0.28

Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29

Oracle ≫ Mysql Server Version <= 5.7.37

Oracle ≫ Mysql Server Version >= 8.0.0 <= 8.0.28

Oracle ≫ Mysql Workbench Version >= 8.0.0 <= 8.0.28

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.12%	0.31

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-296 Improper Following of a Certificate's Chain of Trust

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://www.debian.org/security/2022/dsa-5170

Third Party Advisory

https://hackerone.com/reports/1429694

Third Party Advisory

Mitigation

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Vendor Advisory