CVE-2021-44531

Published: Feb 24, 2022Modified: Nov 21, 2024

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

Affected (15)

Products: Nodejs: Node.js · Oracle: Graalvm, Mysql Connectors, Mysql Enterprise Monitor, Mysql Server, Mysql Workbench, Peoplesoft Enterprise Peopletools, Mysql Cluster

1 product

7 products

Mysql Enterprise Monitor

Mysql Server

Mysql Workbench

Peoplesoft Enterprise Peopletools

Mysql Cluster

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Nodejs Node.js	Before 12.22.9
Nodejs Node.js	From 14.0.0 to 14.18.3
Nodejs Node.js	From 16.0.0 to 16.13.2
Nodejs Node.js	From 17.0.0 to 17.3.1

Configuration B

10 vulnerable

Vulnerable Software	Affected Versions
Oracle Graalvm	Version 20.3.5
Oracle Graalvm	Version 21.3.1
Oracle Graalvm	Version 22.0.0.2
Oracle Mysql Connectors	Up to 8.0.28
Oracle Mysql Enterprise Monitor	Up to 8.0.29
Oracle Mysql Server	Up to 5.7.37
Oracle Mysql Server	From 8.0.0 to 8.0.28
Oracle Mysql Workbench	Up to 8.0.28
Oracle Peoplesoft Enterprise Peopletools	Version 8.58
Oracle Peoplesoft Enterprise Peopletools	Version 8.59