Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-44531

UNKNOWN
Published 2022-02-24T18:27:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-44531. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

NodeJS

Node

Affected Versions:

4.0 5.0 6.0 7.0 8.0 9.0 10.0 11.0 12.0 13.0 14.0 15.0 16.0 17.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-5qpf-4xwh-5775

Advisory Details

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-44531
WEB https://hackerone.com/reports/1429694
WEB https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases
WEB https://security.netapp.com/advisory/ntap-20220325-0007
WEB https://www.debian.org/security/2022/dsa-5170
WEB https://www.oracle.com/security-alerts/cpuapr2022.html
WEB https://www.oracle.com/security-alerts/cpujul2022.html

Advisory provided by GitHub Security Advisory Database. Published: February 25, 2022, Modified: March 26, 2022

References

https://hackerone.com/reports/1429694
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-20220325-0007/
https://www.debian.org/security/2022/dsa-5170
https://www.oracle.com/security-alerts/cpujul2022.html
Published: 2022-02-24T18:27:00
Last Modified: 2025-04-30T22:24:39.015Z
Copied to clipboard!