CVE Vulnerabilities

CVE-2021-44531

Improper Certificate Validation

Published: Feb 24, 2022 | Modified: Oct 05, 2022
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
7.4 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the –security-revert command-line option.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Node.js Nodejs * 12.22.9 (excluding)
Node.js Nodejs 14.0.0 (including) 14.18.3 (excluding)
Node.js Nodejs 16.0.0 (including) 16.13.2 (excluding)
Node.js Nodejs 17.0.0 (including) 17.3.1 (excluding)
Red Hat Enterprise Linux 8 RedHat nodejs:12-8060020220523160029.ad008a3a *
Red Hat Enterprise Linux 8 RedHat nodejs:14-8070020221020110846.bd1311ed *
Red Hat Enterprise Linux 8 RedHat nodejs:16-8070020221207164159.bd1311ed *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat nodejs:12-8010020220518102644.c27ad7f8 *
Red Hat Enterprise Linux 8.2 Extended Update Support RedHat nodejs:12-8020020220523154454.4cda2c84 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat nodejs:12-8040020220523155137.522a0ee4 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat nodejs:14-8060020230306170237.ad008a3a *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs12-nodejs-0:12.22.12-2.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs14-nodejs-0:14.20.1-2.el7 *
RHODF-4.13-RHEL-9 RedHat odf4/mcg-core-rhel9:v4.13.0-41 *
Nodejs Ubuntu bionic *
Nodejs Ubuntu hirsute *
Nodejs Ubuntu impish *
Nodejs Ubuntu kinetic *
Nodejs Ubuntu lunar *
Nodejs Ubuntu mantic *
Nodejs Ubuntu trusty *
Nodejs Ubuntu trusty/esm *
Nodejs Ubuntu xenial *

Potential Mitigations

References