BIT-node-2021-44533

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/node/BIT-node-2021-44533.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-node-2021-44533
Aliases
Published
2024-03-06T11:04:47.593Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

References

Affected packages

Bitnami / node

Package

Name
node
Purl
pkg:bitnami/node

Severity

  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
12.22.9
Introduced
14.0.0
Fixed
14.18.3
Introduced
16.0.0
Fixed
16.13.2
Introduced
17.0.0
Fixed
17.3.1