5.3

CVE-2021-44533

Exploit

EPSS 0.32%
Veröffentlicht 24.02.2022 19:15:09
Zuletzt bearbeitet 21.11.2024 06:31:10
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nodejs ≫ Node.Js SwEdition- Version < 12.22.9

Nodejs ≫ Node.Js SwEdition- Version >= 14.0.0 < 14.18.3

Nodejs ≫ Node.Js SwEdition- Version >= 16.0.0 < 16.13.2

Nodejs ≫ Node.Js SwEdition- Version >= 17.0.0 < 17.3.1

Oracle ≫ Graalvm Version20.3.5 SwEditionenterprise

Oracle ≫ Graalvm Version21.3.1 SwEditionenterprise

Oracle ≫ Graalvm Version22.0.0.2 SwEditionenterprise

Oracle ≫ Mysql Cluster Version < 8.0.29

Oracle ≫ Mysql Cluster Version8.0.29

Oracle ≫ Mysql Connectors Version <= 8.0.28

Oracle ≫ Mysql Enterprise Monitor Version <= 8.0.29

Oracle ≫ Mysql Server Version <= 5.7.37

Oracle ≫ Mysql Server Version >= 8.0.0 <= 8.0.28

Oracle ≫ Mysql Workbench Version <= 8.0.28

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.544

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Third Party Advisory

https://www.debian.org/security/2022/dsa-5170

Third Party Advisory

https://hackerone.com/reports/1429694

Third Party Advisory

Exploit

Mitigation

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Vendor Advisory

Release Notes

https://security.netapp.com/advisory/ntap-20220325-0007/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-44533

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44533

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44533

EUVD