7.4
CVSSv3

CVE-2021-44531

Published: 24/02/2022 Updated: 05/10/2022
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Summary

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531) It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an malicious user to impersonate a trusted host. (CVE-2021-44532) A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533) Prototype pollution via console.table properties (CVE-2022-21824)

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nodejs node.js

oracle peoplesoft enterprise peopletools 8.58

oracle peoplesoft enterprise peopletools 8.59

oracle mysql enterprise monitor

oracle mysql connectors

oracle mysql workbench

oracle mysql server

oracle graalvm 20.3.5

oracle graalvm 21.3.1

oracle graalvm 22.0.0.2

oracle mysql cluster

Vendor Advisories

Synopsis Moderate: nodejs:14 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update ...
Synopsis Moderate: rh-nodejs14-nodejs security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rh-nodejs14-nodejs is now available for Red Hat Software CollectionsRed Hat Product Security has rated th ...
Synopsis Moderate: nodejs:16 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8Red Hat Product Secu ...
Debian Bug report logs - #1004177 nodejs: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 22 Jan 2022 09:45:02 UTC ...
Synopsis Moderate: rh-nodejs12-nodejs security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for rh-nodejs12-nodejs is now available for Red Hat Software CollectionsRed Hat Pro ...
Multiple vulnerabilities were discovered in Nodejs, which could result in HTTP request smuggling, a bypass of certificate verification or prototype pollution For the stable distribution (bullseye), these problems have been fixed in version 122212~dfsg-1~deb11u1 We recommend that you upgrade your nodejs packages For the detailed security statu ...
Synopsis Important: nodejs:14 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 86 Extended Update ...
A flaw was found in nodejs where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host (CVE-2021-44531) It was found that nodejs did not safely read the x509 certificate general ...
ALAS-2022-214 Amazon Linux 2022 Security Advisory: ALAS-2022-214 Advisory Release Date: 2022-12-06 16:41 Pacific ...
Synopsis Important: Red Hat OpenShift Data Foundation 4130 security and bug fix update Type/Severity Security Advisory: Important Topic Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4130 on Red Hat Enterprise Linux 9Red Hat ...