CVE-2021-44532

Published: Feb 24, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

Affected (16)

Products: Nodejs: Node.js · Oracle: Graalvm, Mysql Cluster, Mysql Connectors, Mysql Enterprise Monitor, Mysql Server, Mysql Workbench, Peoplesoft Enterprise Peopletools · Debian: Debian Linux

1 product

7 products

Mysql Enterprise Monitor

Mysql Server

Mysql Workbench

Peoplesoft Enterprise Peopletools

Debian

1 product

Debian Linux

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Nodejs Node.js	Before 12.22.9
Nodejs Node.js	From 14.0.0 to 14.18.3
Nodejs Node.js	From 16.0.0 to 16.13.2
Nodejs Node.js	From 17.0.0 to 17.3.1

Configuration B

11 vulnerable

Vulnerable Software	Affected Versions
Oracle Graalvm	Version 20.3.5
Oracle Graalvm	Version 21.3.1
Oracle Graalvm	Version 22.0.0.2
Oracle Mysql Cluster	Up to 8.0.29
Oracle Mysql Connectors	Up to 8.0.28
Oracle Mysql Enterprise Monitor	Up to 8.0.29
Oracle Mysql Server	Up to 5.7.37
Oracle Mysql Server	From 8.0.0 to 8.0.28
Oracle Mysql Workbench	From 8.0.0 to 8.0.28
Oracle Peoplesoft Enterprise Peopletools	Version 8.58
Oracle Peoplesoft Enterprise Peopletools	Version 8.59