{"containers": {"cna": {"affected": [{"product": "https://github.com/nodejs/node", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"}]}], "descriptions": [{"lang": "en", "value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "Improper Certificate Validation (CWE-295)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T16:40:56", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1429694"}, {"tags": ["x_refsource_MISC"], "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"}, {"name": "DSA-5170", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5170"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2021-44531", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/nodejs/node", "version": {"version_data": [{"version_value": "Fixed in 12.22.9, 14.18.3, 16.13.2, 17.3.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Certificate Validation (CWE-295)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1429694", "refsource": "MISC", "url": "https://hackerone.com/reports/1429694"}, {"name": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/", "refsource": "MISC", "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20220325-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"}, {"name": "DSA-5170", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5170"}, {"name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:25:16.807Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1429694"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"}, {"name": "DSA-5170", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5170"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2021-44531", "datePublished": "2022-02-24T18:27:00", "dateReserved": "2021-12-02T00:00:00", "dateUpdated": "2024-08-04T04:25:16.807Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "DAE16BC9-7B14-48DA-ADEB-D1898E0B9885", "versionEndExcluding": "12.22.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "8499B085-A803-4958-BB99-8E7FABB177BB", "versionEndExcluding": "14.18.3", "versionStartIncluding": "14.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "113157AB-0571-4244-A857-ADE4F4EA1F11", "versionEndExcluding": "16.13.2", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "9DF5B801-BC99-4F91-B350-C14A5998532C", "versionEndExcluding": "17.3.1", "versionStartIncluding": "17.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:20.3.5:*:*:*:enterprise:*:*:*", "matchCriteriaId": "079F2588-2746-408B-9BB0-9A569289985B", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.3.1:*:*:*:enterprise:*:*:*", "matchCriteriaId": "51600424-E294-41E0-9C8B-12D0C3456027", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:22.0.0.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C3D12B98-032F-49A6-B237-E0CAD32D9A25", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", "matchCriteriaId": "727AE4B8-ECED-4942-B378-AC869D39D8D0", "versionEndIncluding": "8.0.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0EBAC6D-D0CE-42A1-AEA0-2D50C8035747", "versionEndIncluding": "8.0.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "361CAD5F-8866-44CC-A47E-C0E98A9FAABA", "versionEndIncluding": "5.7.37", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D713546-8144-491B-B3D9-FBE437E4A442", "versionEndIncluding": "8.0.28", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BDC629D-CC4C-4903-8A06-BF5823457996", "versionEndIncluding": "8.0.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", "matchCriteriaId": "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDB1E9C2-30CD-4DD2-BB9F-AF59B8DA9B9E", "versionEndIncluding": "8.0.29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option."}, {"lang": "es", "value": "Aceptar tipos de nombres alternativos de sujeto (SAN) arbitrarios, a menos que una PKI est\u00e9 definida espec\u00edficamente para usar un tipo de SAN concreto, puede resultar en una omisi\u00f3n de los intermediarios con restricci\u00f3n de nombre. Node.js versiones anteriores a 12.22.9, versiones anteriores a 14.18.3, versiones anteriores a 16.13.2 y versiones anteriores a 17.3.1, aceptaba tipos de URI SAN, que las PKI no suelen estar definidas para usar. Adem\u00e1s, cuando un protocolo permite URI SANs, Node.js no hac\u00eda coincidir el URI correctamente. Las versiones de Node.js con la correcci\u00f3n para esto deshabilitan el tipo URI SAN cuando comprueban un certificado contra un nombre de host. Este comportamiento puede revertirse mediante la opci\u00f3n de l\u00ednea de comandos --security-revert"}], "id": "CVE-2021-44531", "lastModified": "2024-11-21T06:31:10.550", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T19:15:09.313", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/1429694"}, {"source": "support@hackerone.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5170"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/1429694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220325-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5170"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHEA-2022:5139", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:12-8060020220523160029.ad008a3a", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-06-21T00:00:00Z"}, {"advisory": "RHSA-2022:7830", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:14-8070020221020110846.bd1311ed", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-08T00:00:00Z"}, {"advisory": "RHSA-2022:9073", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:16-8070020221207164159.bd1311ed", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-12-15T00:00:00Z"}, {"advisory": "RHEA-2022:4925", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "nodejs:12-8010020220518102644.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-06-07T00:00:00Z"}, {"advisory": "RHEA-2022:5221", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "nodejs:12-8020020220523154454.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-06-28T00:00:00Z"}, {"advisory": "RHEA-2022:5615", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "nodejs:12-8040020220523155137.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-07-19T00:00:00Z"}, {"advisory": "RHSA-2023:1742", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "nodejs:14-8060020230306170237.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-04-12T00:00:00Z"}, {"advisory": "RHSA-2022:4914", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs12-nodejs-0:12.22.12-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-06-06T00:00:00Z"}, {"advisory": "RHSA-2022:7044", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs14-nodejs-0:14.20.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-10-19T00:00:00Z"}, {"advisory": "RHSA-2023:3742", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.13::el9", "package": "odf4/mcg-core-rhel9:v4.13.0-41", "product_name": "RHODF-4.13-RHEL-9", "release_date": "2023-06-21T00:00:00Z"}], "bugzilla": {"description": "nodejs: Improper handling of URI Subject Alternative Names", "id": "2040839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.", "A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host."], "name": "CVE-2021-44531", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "impact": "low", "package_name": "nodejs", "product_name": "Red Hat Quay 3"}], "public_date": "2022-01-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-44531\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44531\nhttps://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/"], "statement": "Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].\n[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security\n[2] https://issues.redhat.com/browse/PROJQUAY-1409\nTherefore Quay component is marked as \"Will not fix\" with impact LOW.", "threat_severity": "Moderate", "upstream_fix": "node 12.22.9, node 14.18.3, node 16.13.2, node 17.3.1"}