Home

CVE-2021-44533

Description

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses nodes ambiguous presentation of certificate subjects may be vulnerable.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
0.364

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (x64) (12.22.9)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 12 (12.22.9)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (x64) (14.18.3)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 14 (14.18.3)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (x64) (16.13.2)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 16 (16.13.2)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (17.9.1)Windows
Vulnerabilities CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824 are fixed in Node.js 17 (x64) (17.9.1)Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1.6Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58Windows
Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.59Windows
Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 18.0.0.1Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 19.0.0.3Windows
Multiple Vulnerabilities are affected in MySQL Cluster 8.0.29Windows
Vulnerabilities CVE-2021-44533 are affected in MySQL Cluster 8.0.28Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.15Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.3.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.2Windows
nodejs security update(DSA-5170-1) nodejs_12.22.12~dfsg-1~deb11u1_amd64.debLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpmLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-debugsource-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpmLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-devel-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpmLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-docs-14.20.1-2.module+el8.7.0+16991+b0a68a3e.noarch.rpmLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-full-i18n-14.20.1-2.module+el8.7.0+16991+b0a68a3e.x86_64.rpmLinux
(RHSA-2022:7830) nodejs:14 security update nodejs-nodemon-2.0.19-2.module+el8.7.0+16991+b0a68a3e.noarch.rpmLinux
(RHSA-2022:7830) nodejs:14 security update npm-6.14.17-1.14.20.1.2.module+el8.7.0+16991+b0a68a3e.x86_64.rpmLinux
Nodejs update (ELSA-2022-9073-1) nodejs-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpmLinux
Nodejs-devel update (ELSA-2022-9073-1) nodejs-devel-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpmLinux
Nodejs-docs update (ELSA-2022-9073-1) nodejs-docs-16.18.1-3.module+el8.7.0+20893+df13f383.noarch.rpmLinux
Nodejs-full-i18n update (ELSA-2022-9073-1) nodejs-full-i18n-16.18.1-3.module+el8.7.0+20893+df13f383.x86_64.rpmLinux
Nodejs-nodemon update (ELSA-2022-9073-1) nodejs-nodemon-2.0.20-2.module+el8.7.0+20893+df13f383.noarch.rpmLinux
Nodejs-packaging update (ELSA-2022-9073-1) nodejs-packaging-25-1.module+el8.5.0+20388+4b61e68d.noarch.rpmLinux
Npm update (ELSA-2022-9073-1) npm-8.19.2-1.16.18.1.3.module+el8.7.0+20893+df13f383.x86_64.rpmLinux
(RHSA-2022:9073) nodejs:16 security, bug fix, and enhancement update nodejs-nodemon-2.0.20-2.module+el8.7.0+17412+bb0e4a6b.noarch.rpmLinux
nodejs Security Update (ALAS2023-2023-084) v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-devel-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-docs-18.12.1-1.amzn2023.0.2.noarch.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-full-i18n-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) nodejs-libs-18.12.1-1.amzn2023.0.2.x86_64.rpmLinux
nodejs Security Update (ALAS2023-2023-084) npm-8.19.2-1.18.12.1.1.amzn2023.0.2.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-324371Node.js 12 (x64) (12.22.12)
PATCH-324370Node.js 12 (12.22.12)
PATCH-329083Node.js 14 (x64) (14.21.3)
PATCH-329082Node.js 14 (14.21.3)
PATCH-331257Node.js 16 (x64) (16.20.1)
PATCH-331256Node.js 16 (16.20.1)
PATCH-325140Node.js 17 (17.9.1)
PATCH-325141Node.js 17 (x64) (17.9.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234