CVE-2021-44532

CVE-2021-44532

Name

CVE-2021-44532

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mitigation	https://hackerone.com/reports/1429694
Exploit	https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Third Party Advisory	https://security.netapp.com/advisory/ntap-20220325-0007/
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html

Type

URI

Mitigation

https://hackerone.com/reports/1429694

Exploit

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220325-0007/

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= None	< 12.22.9
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 14.0.0	< 14.18.3
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 16.0.0	< 16.13.2
`cpe:2.3:a:nodejs:node.js:::::-:::*`	nodejs	>= 17.0.0	< 17.3.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= None

< 12.22.9

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 14.0.0

< 14.18.3

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 16.0.0

< 16.13.2

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

nodejs

>= 17.0.0

< 17.3.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	edge-main	16.13.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs-current	edge-community	17.3.1-r0	Jose-Luis Rivas <ghostbar@riseup.net>	fixed
openjdk11	edge-community	11.0.15_p10-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
nodejs	3.22-main	16.13.2-r0	None	fixed
nodejs-current	3.22-community	17.3.1-r0	None	fixed
openjdk11	3.22-community	11.0.15_p10-r0	None	fixed
nodejs	3.21-main	16.13.2-r0	None	fixed
nodejs-current	3.21-community	17.3.1-r0	None	fixed
openjdk11	3.21-community	11.0.15_p10-r0	None	fixed
nodejs	3.20-main	16.13.2-r0	None	fixed
nodejs-current	3.20-community	17.3.1-r0	None	fixed
openjdk11	3.20-community	11.0.15_p10-r0	None	fixed
nodejs	3.19-main	16.13.2-r0	None	fixed
nodejs-current	3.19-community	17.3.1-r0	None	fixed
openjdk11	3.19-community	11.0.15_p10-r0	None	fixed
nodejs	3.18-main	16.13.2-r0	None	fixed
nodejs-current	3.18-community	17.3.1-r0	None	fixed
openjdk11	3.18-community	11.0.15_p10-r0	None	fixed
nodejs	3.17-main	16.13.2-r0	None	fixed
nodejs-current	3.17-community	17.3.1-r0	None	fixed
openjdk11	3.17-community	11.0.15_p10-r0	None	fixed
nodejs	3.12-main	12.22.10-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

Source package

Branch

Version

Maintainer

Status

nodejs

edge-main

16.13.2-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

nodejs-current

edge-community