CVE-2016-7099

MEDIUM

Node.js <4.6.0 - Man-in-the-Middle Attack

Title source: llm

Description

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

References (5)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0002.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/93191

[Issue Tracking, Patch] https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b

[Patch, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/

Scores

CVSS v3 5.9

EPSS 0.0072

EPSS Percentile 72.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-19

Status draft

Affected Products (50)

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

nodejs/node.js

... and 35 more

Timeline

Published Oct 10, 2016

Tracked Since Feb 18, 2026