CVE-2021-44532
MEDIUMNode.js < 12.22.9, < 14.18.3, < 16.13.2, < 17.3.1 - Code Injection
Title source: llmDescription
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
References (6)
Core 6
Core References
Mitigation, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1429694
Exploit, Release Notes, Vendor Advisory x_refsource_misc
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220325-0007/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5170
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
5.3
EPSS
0.0013
EPSS Percentile
32.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-295
CWE-296
Status
published
Products (12)
debian/debian_linux
11.0
nodejs/node.js
< 12.22.9
oracle/graalvm
20.3.5
oracle/graalvm
21.3.1
oracle/graalvm
22.0.0.2
oracle/mysql_cluster
< 8.0.29
oracle/mysql_connectors
< 8.0.28
oracle/mysql_enterprise_monitor
< 8.0.29
oracle/mysql_server
< 5.7.37
oracle/mysql_workbench
8.0.0 - 8.0.28
... and 2 more
Published
Feb 24, 2022
Tracked Since
Feb 18, 2026