CVE-2021-44533
Description
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- osv-coords21 versionspkg:bitnami/nodepkg:bitnami/node-minpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npmpkg:rpm/opensuse/chromium&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/htmldoc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs12&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs14&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/nodejs16&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/nodejs17&distro=openSUSE%20Tumbleweedpkg:rpm/suse/chromium&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/htmldoc&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3
< 12.22.9+ 20 more
- (no CPE)range: < 12.22.9
- (no CPE)range: < 12.22.9
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 1:14.20.1-2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 2.0.19-2.module_el8.6.0+3261+490666b3
- (no CPE)range: < 23-3.module_el8.4.0+2522+3bd42762
- (no CPE)range: < 1:6.14.17-1.14.20.1.2.module_el8.7.0+3342+b2df8497
- (no CPE)range: < 100.0.4896.88-bp153.2.82.1
- (no CPE)range: < 1.9.12-bp153.2.9.1
- (no CPE)range: < 12.22.9-4.25.1
- (no CPE)range: < 14.18.3-15.24.1
- (no CPE)range: < 16.13.2-1.1
- (no CPE)range: < 17.3.1-1.1
- (no CPE)range: < 100.0.4896.88-bp153.2.82.1
- (no CPE)range: < 1.9.12-bp153.2.9.1
- (no CPE)range: < 12.22.9-1.38.1
- (no CPE)range: < 12.22.9-4.25.1
- (no CPE)range: < 14.18.3-6.21.1
- (no CPE)range: < 14.18.3-15.24.1
Patches
Vulnerability mechanics
References
6- www.debian.org/security/2022/dsa-5170mitrevendor-advisoryx_refsource_DEBIAN
- hackerone.com/reports/1429694mitrex_refsource_MISC
- nodejs.org/en/blog/vulnerability/jan-2022-security-releases/mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20220325-0007/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpujul2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.