A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531) It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an malicious user to impersonate a trusted host. (CVE-2021-44532) A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533) Prototype pollution via console.table properties (CVE-2022-21824)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
nodejs node.js |
||
oracle peoplesoft enterprise peopletools 8.58 |
||
oracle peoplesoft enterprise peopletools 8.59 |
||
oracle mysql enterprise monitor |
||
oracle mysql connectors |
||
oracle mysql workbench |
||
oracle mysql server |
||
oracle graalvm 20.3.5 |
||
oracle graalvm 21.3.1 |
||
oracle graalvm 22.0.0.2 |
||
oracle mysql cluster |
||
oracle mysql cluster 8.0.29 |
||
debian debian linux 11.0 |