[FREEBSD:972BA0E8-8B8A-11EC-B369-6C3BE5272ACD] Node.js -- January 2022 Security Releases
Severity
High
Affected Packages
3
CVEs
4
Node.js reports:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.
Package | Affected Version |
---|---|
pkg:freebsd/node16 | < 16.13.2 |
pkg:freebsd/node14 | < 14.18.3 |
pkg:freebsd/node | < 12.22.9 |
- ID
- FREEBSD:972BA0E8-8B8A-11EC-B369-6C3BE5272ACD
- Severity
- high
- Severity from
- CVE-2022-21824
- URL
- http://vuxml.freebsd.org/freebsd/972ba0e8-8b8a-11ec-b369-6c3be5272acd.html
- Published
-
2022-01-10T00:00:00
(2 years ago) - Modified
-
2022-02-12T00:00:00
(2 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
- ALPINE:CVE-2021-44531
- ALPINE:CVE-2021-44532
- ALPINE:CVE-2021-44533
- ALPINE:CVE-2022-21824
- ALSA-2022:7830
- ALSA-2022:9073
- DSA-5170-1
- ELSA-2022-7830
- FEDORA-2022-0eda327cb4
- FEDORA-2022-78090d2099
- FREEBSD:8E150606-08C9-11ED-856E-D4C9EF517024
- GLSA-202405-29
- MS:CVE-2021-44531
- MS:CVE-2021-44532
- MS:CVE-2021-44533
- MS:CVE-2022-21824
- openSUSE-SU-2022:0112-1
- openSUSE-SU-2022:0113-1
- RHEA-2022:5139
- RHSA-2022:7830
- RHSA-2022:9073
- RLEA-2022:5139
- RLSA-2022:7830
- RLSA-2022:9073
- SUSE-SU-2022:0101-1
- SUSE-SU-2022:0112-1
- SUSE-SU-2022:0113-1
- SUSE-SU-2022:0114-1
- SUSE-SU-2022:0570-1
- SUSE-SU-2022:1717-1
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |