CVE-2021-44533

MEDIUM

Nodejs Node.js < 12.22.9 - Improper Certificate Validation

Title source: rule

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

References (6)

[Exploit, Mitigation, Third Party Advisory] https://hackerone.com/reports/1429694

[Release Notes, Vendor Advisory] https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220325-0007/

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5170

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 5.3

EPSS 0.0042

EPSS Percentile 61.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-295

Status published

Affected Products (13)

nodejs/node.js < 12.22.9

oracle/graalvm

oracle/graalvm

oracle/graalvm

oracle/mysql_cluster < 8.0.29

oracle/mysql_cluster

oracle/mysql_connectors < 8.0.28

oracle/mysql_enterprise_monitor < 8.0.29

oracle/mysql_server < 5.7.37

oracle/mysql_workbench < 8.0.28

oracle/peoplesoft_enterprise_peopletools

oracle/peoplesoft_enterprise_peopletools

debian/debian_linux

Timeline

Published Feb 24, 2022

Tracked Since Feb 18, 2026