Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node.js | Nodejs | 10.0.0 (including) | 10.19.0 (excluding) |
| Node.js | Nodejs | 12.0.0 (including) | 12.15.0 (excluding) |
| Node.js | Nodejs | 13.0.0 (including) | 13.8.0 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:10-8010020200213140254.c27ad7f8 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:12-8010020200220143053.c27ad7f8 | * |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | RedHat | nodejs:10-8000020200214110450.f8e95b4e | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs10-nodejs-0:10.19.0-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs12-nodejs-0:12.16.1-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | RedHat | rh-nodejs10-nodejs-0:10.19.0-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | RedHat | rh-nodejs12-nodejs-0:12.16.1-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-nodejs10-nodejs-0:10.19.0-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-nodejs12-nodejs-0:12.16.1-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs10-nodejs-0:10.19.0-1.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-nodejs12-nodejs-0:12.16.1-1.el7 | * |
| Nodejs | Ubuntu | bionic | * |
| Nodejs | Ubuntu | eoan | * |
| Nodejs | Ubuntu | esm-apps/bionic | * |
| Nodejs | Ubuntu | esm-apps/xenial | * |
| Nodejs | Ubuntu | trusty | * |
| Nodejs | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://hackerone.com/reports/746733
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0598
- https://access.redhat.com/errata/RHSA-2020:0602
- https://hackerone.com/reports/746733
- https://nodejs.org/en/blog/release/v10.19.0/
- https://nodejs.org/en/blog/release/v12.15.0/
- https://nodejs.org/en/blog/release/v13.8.0/
- https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
- https://security.gentoo.org/glsa/202003-48
- https://security.netapp.com/advisory/ntap-20200221-0004/
- https://www.debian.org/security/2020/dsa-4669
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html