BIT-node-2021-44532

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2021-44532.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-node-2021-44532
Aliases
Published
2024-03-06T11:04:58.292Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

References

Affected packages

Bitnami / node

Package

Name
node
Purl
pkg:bitnami/node

Severity

  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.22.9
Introduced
14.0.0
Fixed
14.18.3
Introduced
16.0.0
Fixed
16.13.2
Introduced
17.0.0
Fixed
17.3.1