CVE-2021-44532

Name
CVE-2021-44532
Description
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mitigation https://hackerone.com/reports/1429694
Exploit https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Third Party Advisory https://security.netapp.com/advisory/ntap-20220325-0007/
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= None < 12.22.9
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 14.0.0 < 14.18.3
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 16.0.0 < 16.13.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 17.0.0 < 17.3.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openjdk11 3.15-community 11.0.15_p10-r0 Simon Frankenberger <simon-alpine@fraho.eu> fixed