CVE-2021-44531
Description
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
Risk Information
Base Score
7.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.076
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (x64) (12.22.9) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (12.22.9) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (x64) (14.18.3) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (14.18.3) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (x64) (16.13.2) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (16.13.2) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (17.9.1) | Windows |
| Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (x64) (17.9.1) | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1.6 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 18.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0.0.3 | Windows |
| Multiple Vulnerabilities are affected in MySQL Cluster 8.0.29 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15 | Windows |
| Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.2 | Windows |
| nodejs security update(DSA-5170-1) nodejs_12.22.12~dfsg-1~deb11u1_amd64.deb | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpm | Linux |
| (RHSA-2022:7830) nodejs:14 security update npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpm | Linux |
| Nodejs update (ELSA-2022-9073-1) nodejs-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-devel update (ELSA-2022-9073-1) nodejs-devel-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-docs update (ELSA-2022-9073-1) nodejs-docs-16.18.1-3.module+el8.7.0+20893+df13f383.noarch.rpm | Linux |
| Nodejs-full-i18n update (ELSA-2022-9073-1) nodejs-full-i18n-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| Nodejs-nodemon update (ELSA-2022-9073-1) nodejs-nodemon-2.0.20-2.module+el8.7.0+20893+df13f383.noarch.rpm | Linux |
| Nodejs-packaging update (ELSA-2022-9073-1) nodejs-packaging-25-1.module+el8.5.0+20388+4b61e68d.noarch.rpm | Linux |
| Npm update (ELSA-2022-9073-1) npm-8.19.2-1.16.18.1.3.module+el8.7.0+20893+df13f383.x86_64.rpm | Linux |
| (RHSA-2022:9073) nodejs:16 security, bug fix, and enhancement update nodejs-nodemon-2.0.20-2.module+el8.7.0+17412+bb0e4a6b.noarch.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-docs-18.12.1-1.amzn2023.0.2.noarch.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64.rpm | Linux |
| nodejs Security Update (ALAS2023-2023-084) npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64.rpm | Linux |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-324371 | Node.js 12 (x64) (12.22.12) |
| PATCH-324370 | Node.js 12 (12.22.12) |
| PATCH-329083 | Node.js 14 (x64) (14.21.3) |
| PATCH-329082 | Node.js 14 (14.21.3) |
| PATCH-331257 | Node.js 16 (x64) (16.20.1) |
| PATCH-331256 | Node.js 16 (16.20.1) |
| PATCH-325140 | Node.js 17 (17.9.1) |
| PATCH-325141 | Node.js 17 (x64) (17.9.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234