1. Home
  2. Vulnerabilities
  3. CVE-2021-44532

CVE-2021-44532

CVSS v3.1 5.3 (Medium)
53% Progress
CVSS v2.0 5 (Medium)
50% Progress
EPSS 0.44 % (75th)
0.44% Progress
Affected Products 9
Advisories 22
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Weaknesses
CWE-295
Improper Certificate Validation
CWE-296
Improper Following of a Certificate's Chain of Trust
CVE Status
PUBLISHED
CNA
HackerOne
Published Date
2022-02-24 19:15:09
(2 years ago)
Updated Date
2022-10-05 14:00:39
(23 months ago)

Affected Products

Debian

Nodejs

Oracle

Configuration #1

    CPE23 From Up To
  Nodejs Node.js prior 12.22.9 version cpe:2.3:a:nodejs:node.js::*:*:*:- < 12.22.9
  Nodejs Node.js from 14.0.0 version and prior 14.18.3 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 14.0.0 < 14.18.3
  Nodejs Node.js from 16.0.0 version and prior 16.13.2 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 16.0.0 < 16.13.2
  Nodejs Node.js from 17.0.0 version and prior 17.3.1 version cpe:2.3:a:nodejs:node.js::*:*:*:- >= 17.0.0 < 17.3.1

Configuration #2

    CPE23 From Up To
  Oracle Graalvm 20.3.5 cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise
  Oracle Graalvm 21.3.1 cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise
  Oracle Graalvm 22.0.0.2 cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise
  Oracle Mysql Cluster 8.0.29 and prior versions cpe:2.3:a:oracle:mysql_cluster <= 8.0.29
  Oracle Mysql Connectors 8.0.28 and prior versions cpe:2.3:a:oracle:mysql_connectors <= 8.0.28
  Oracle Mysql Enterprise Monitor 8.0.29 and prior versions cpe:2.3:a:oracle:mysql_enterprise_monitor <= 8.0.29
  Oracle Mysql Server 5.7.37 and prior versions cpe:2.3:a:oracle:mysql_server <= 5.7.37
  Oracle Mysql Server from 8.0.0 version and 8.0.28 and prior versions cpe:2.3:a:oracle:mysql_server >= 8.0.0 <= 8.0.28
  Oracle Mysql Workbench from 8.0.0 version and 8.0.28 and prior versions cpe:2.3:a:oracle:mysql_workbench >= 8.0.0 <= 8.0.28
  Oracle Peoplesoft Enterprise Peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
  Oracle Peoplesoft Enterprise Peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59

Configuration #3

    CPE23 From Up To
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0