Description
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/93191
Patch, Vendor Advisory x_refsource_confirm
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Issue Tracking, Patch x_refsource_confirm
https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0002.html
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
Scores
CVSS v3
5.9
EPSS
0.0072
EPSS Percentile
72.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-19
Status
published
Products (50)
nodejs/node.js
0.10.0
nodejs/node.js
0.10.1
nodejs/node.js
0.10.2
nodejs/node.js
0.10.3
nodejs/node.js
0.10.4
nodejs/node.js
0.10.5
nodejs/node.js
0.10.6
nodejs/node.js
0.10.7
nodejs/node.js
0.10.8
nodejs/node.js
0.10.9
... and 40 more
Published
Oct 10, 2016
Tracked Since
Feb 18, 2026